RestrictAdressFamilies, a systemd.exec feature would have been a good option to bring limit surface attack because it excludes obscure protocols from interacting with the daemon, but its not available on x86:
"RestrictAddressFamilies= Note that this option has no effect on 32-bit x86 and is ignored (but works correctly on x86-64)."
Unfortunately iptables cannot recognize or limit address families it is something up to the process itself:
This is something that can be defined in the python script by specifying
it as a socket parameter:
search for AF_INET
cpfpd's code could include this for further hardening.