[acdha]

Check example 3.4 here for a polkit policy allowing an arbitrary user to restart a single unit:

https://wiki.archlinux.org/title/Polkit

[twic]

Does this let them modify the unit file, create units, create timers, etc?

User systemd allows that kind of complete self-service, and so lets you do application deployment and management without touching the root account, which is rather nice.

[BenjiWiebe]

If they can edit a service that runs with more privileges than they have, that's a privilege escalation vulnerability.

Polkit lets a non-root user restart a root/privileged service without letting the non-root user gain privileges.