nspawn: mount most of the cgroup tree read-only in nspawn containers except...

nspawn: mount most of the cgroup tree read-only in nspawn containers except for the container's own subtree in the name=systemd hierarchy

More specifically mount all other hierarchies in their entirety and the
name=systemd above the container's subtree read-only.