Now, two years later, is there a solution for this problem? It would be already great to have read-only access /etc/passwd, /etc/shadow, /etc/shadow-, /var/lib/extrausers/shadow, … as then password authentication for administrative commands and the web interface should work.
For adding an “lpadmin” group we would need a solution of Multiple users and groups in snaps. Is there any progress there?