[tankenmate]

One issue I see with this is Single User Mode (aka recovery mode in grub (or similar) boot loader). Now you can't login as root to recover from init (systemd) configuration issues without having alternate boot media to get you access. I know it might sound pedantic but I used just this feature two days ago while upgrading a machine to a newer Linux release (the upgrade introduced an issue with the systemd / netplan config that got systemd into a loop due to deprecated keywords in the netplan config).

[joveian]

If you want traditional single user mode that drops you to a root shell even though your root account is locked add SYSTEMD_SULOGIN_FORCE=1 to the environment of rescue.service and emergency.service (systemctl edit rescue.service). Of course that exact solution isn't always a good idea depending on the situation but in general that situation can be delt with differently from normal access while running correctly.

[tankenmate]

Ouch, that's a major security issue if configured that way. That's something I'll want to add to my hardening checks.