nspawn: sync DeviceAllow= setting with systemd-nspawn@.service

Follow-up for dc3223919f.
Addresses https://github.com/systemd/systemd/pull/34067#discussion_r1748592958.

Otherwise, containers started with and without --keep-unit option run in
different device policies.

src/nspawn/nspawn-register.c

@@ -43,7 +43,7 @@ static int append_machine_properties(
                 return bus_log_create_error(r);
         if (enable_fuse) {
                 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 1,
-                                          "/dev/fuse", "rw");
+                                          "/dev/fuse", "rwm");
                 if (r < 0)
                         return bus_log_create_error(r);
         }

units/systemd-nspawn@.service.in

@@ -36,9 +36,6 @@ TasksMax=16384
 DevicePolicy=closed
 DeviceAllow=/dev/net/tun rwm
 DeviceAllow=char-pts rw
-{# /dev/fuse gets 'm' here even though it doesn't in nspawn-register.c, since
- # efedb6b0f3 (nspawn: refuse to bind mount device node from host when
- # --private-users= is specified, 2024-09-05) #}
 DeviceAllow=/dev/fuse rwm
 
 # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement