I spent some time looking into this over the weekend, and in reading
the dnsmasq documentation realized that just dnsmasq-base would be
sufficient for LXD's use, very much like libvirt's packaging. That will
pull in the dnsmasq binary for LXD's use, but not setup a system-wide
service. I've done some testing this afternoon, and things seem to work
properly, so the change of Recommending dnsmasq -> dnsmasq-base will be
included in the next LXD upload.
More generally, if you're concerned about the default configuration
of dnsmasq, please open a bug against that package. I would hope end-
users will have some sort of firewall between their systems and the
wider Internet to block unintended access to a DNS resolver. It would
be inappropriate for another package (lxd) to try to directly modify
dnsmasq's configuration.