dev-db/mysql-init-scripts's systemd services, mysqld.service and mysqld@.service, should use systemd's hardening features: # To allow memlock to be used as non-root user if set in configuration CapabilityBoundingSet=CAP_IPC_LOCK ProtectSystem=full (or at least true) NoNewPrivileges=true PrivateDevices=true ProtectHome=true UMask=007 I tested these settings and didn't experience any problems in my (admitted limited) setup. I think they should be fine for anyone except for exceptional and odd situations. For the (very rare) impacted user, they can always override the systemd service - but a secure configuration should be the default.
https://github.com/gentoo/gentoo/pull/1784
Please also test this with the latest MariaDB with a galera cluster configuration (USE=galera with >=dev-db/mariadb-10.1.0) Galera will pull remote files via rsync or xtrabackup and is meant to be a common setup. I don't want to harden too much.
https://mariadb.com/kb/en/mariadb/getting-started-with-mariadb-galera-cluster/ for info on how to set a cluster up.
Since MariaDB upstream committed these options, I've added them with mysql-init-scripts-2.1-r1