For root, group enforcement needs to come after PrivateDevices=y set up according to 096424d123. Add a test to verify this is the case.
096424d123