libtomcat9-java and tomcat9-common 9.0.31-1ubuntu0.2 causes read-only file system for Tomcat

Clarification on this after further research. It appears that after this update, the tomcat9 service is no longer honoring the sandbox settings in the systemd script. The service can write to the default folders like /var/log/tomcat9, but not to the custom folders I've specified in the systemd script as follows:

# Security
User=tomcat
Group=tomcat
PrivateTmp=yes
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
CacheDirectory=tomcat9
CacheDirectoryMode=750
ProtectSystem=strict
ReadWritePaths=/etc/tomcat9/Catalina/
ReadWritePaths=/var/lib/tomcat9/webapps/
ReadWritePaths=/var/log/tomcat9/
ReadWritePaths=/custom/path/here/

Tomcat is not given access to the /custom/path/here path. Also, changing ProtectSystem=strict to ProtectSystem=false has no effect. This setup was working before the update and hasn't changed for a fairly long time.

This is the error in the /var/log/tomcat9/catalina... log:

01-Apr-2022 21:56:24.959 SEVERE [main] org.apache.catalina.valves.AccessLogValve.open Failed to open access log file [/custom/path/here/access_log.2022-04-01.txt]
        java.io.FileNotFoundException: /custom/path/here/access_log.2022-04-01.txt (Read-only file system)

I've changed an application specific path to /custom/path/here to be consistent with my previous comment.

I believe I am running into this as well -- the symptom for me is that WAR files no longer unpack because it cannot write to webapps directories.

Status changed to 'Confirmed' because the bug affects multiple users.