Nothing to be concerned about here, other than the usual “systemd tries to do too much”.
The behavior is documented, not malicious, and even useful.
Essentially, systemd sets up a bpf firewall that enables it to restrict services’ network access - it’s a security feature, not a bug.
This is what it is used/useful for:
Is it possible to accomplish this by other means? Yes.
Is it possible to accomplish this by other means in a way that would enable a beginner to make use of the functionality? Not so much.
Should there be a switch to turn it off? Absolutely, systemd has never been great at making some of its features optional.
Since systemd’s job is to launch services and control what they do (FWIW this type of functionality was available in earlier applications that systemd mostly replaced - such as inetd/xinetd - as well, implemented through tcp_wrappers), I’d argue it is actually doing the right thing here.
Rootkits detecting this as a possible rootkit is a false positive, but certainly understandable given they should be watching out for anything potentially messing with network traffic. They need to be updated to understand this is a false positive.
While I have a few issues with systemd myself (it’s trying to do too much, some of its code isn’t great, …), it is nowhere near as bad as its opponents are saying.