pub(crate) fn unprivileged_subprocess(binary: &str, user: &str) -> CommandExpand description
Return a prepared subprocess configuration that will run as an unprivileged user if possible.
This currently only drops privileges when run under systemd with DynamicUser.