Comment # 8 on bug 1195288 from Johannes Meixner

Johannes Segitz,
thank you for the info!
This is what I need - i.e. what "the right setting" is for systemd.
I will fix CUPS and cups-filters myself.

FYI what cupsd basically does:

All print queue setup things happen via the cupsd.
A a client (e.g. the local lpadmin command) only
talks to the cupsd and the cupsd does the actual setup, cf.
"How to set up a print queue in full compliance with CUPS" in
https://en.opensuse.org/SDB:CUPS_in_a_Nutshell
For printer autodetection a client calls "lpinfo" which
talks to the cupsd and the cupsd runs each so called backend, cf.
https://en.opensuse.org/SDB:CUPS_in_a_Nutshell#The_Backends
in /usr/lib/cups/backend as child processes to let each
backend autodetect its printers.
Some backends run as root to be able to access device nodes
to access the actual printer devices.
Some backends are wrappers that call other backends.
CUPS backends are arbitrary programs that implement
whatever is needed to send printing data to a printer
and alternativerly to autodetect printer devices.

All print job processing is done via the cupsd.
A local or remote client submits a print job to the cupsd.
The cupsd stores print job data in /var/spool/cups.
To get a print job output on a printer device
the cupsd runs several so called filters as child processes.
Those filters are arbitrary programs (normally run as 'lp')
that implement whatever is needed to produce printing data
for a specific printer from the original print job data.
Often filters call other programs as child processes
(e.g. several filters call Ghostscript).

If those systemd sandboxing restrictions do not only apply
to the cupsd itself but when also child processes inherit them
then it becomes likely highly problematic to keep the current
functionality what current CUPS backends and filters
need to do to make printing work in all currently
implemented cases (which are more than I can remember).