OK, I have no words for this: https://github.com/systemd/systemd/issues/6237
If your username doesn't match what Poettering expects usernames to be (and doesn't seem to be documented anywhere, but `[a-zA-Z]+` is *probably* safe?), then systemd will happily run your user services as root.
Reply: not-a-bug, don't use “invalid usernames”...
Paging @KitRedgrave, @mwlucas and @phessler for hilarity.