thumbnail: Fix slow thumbnailer due to missing font cache

On some distributions, the font cache doesn't live in /usr but in /var,
which we don't allow access to when sandboxing the thumbnailers. Bind
mount the fontconfig cache directory read-only if it lives outside /usr,
to speed up thumbnailer startup.

Closes: #90
