Comment 14 for bug 1989019

> Because systemd uses shared mount propagation by default
That's definitely the cause. I consider that an extremely dangerous default. If you mount a filesystem ro you expect it to be ro. It's even one of the main use cases of bind mounts, to provide read-only access.

Whoever decided shared mount propagation was a good idea should really rethink that imho.

All in all I rather like the systemd way with unit files. It's definitely more standardized than the bunch of haphazard shellscripts we usedd to wrangle. But imho there's a bit too much 'automagic' stuff happening everywhere in the system.