Hi,
That's nucely written out, better than I could.
An extra bit of policy(*) I attempt to infuse with/for systemd-cron is this one: the name of the crontab (here "apt-compat")
should match the name of the main timer (here "apt-daily", so not the case yet) so that systemd-cron will ignore this one crontab and won't generate a dynamic .timer + .service in /run for this package.
So my end goal for systemd-cron is that it would do nothing i.e. generate no dynamic .timer / .service pair because all crontab would have a matching static .timer shipped in the same package.
I understand it's a bit convulated to wrap it's mind around this one.
(*): not yet proposed for Policy, already talked about here:
Greetings,
/etc/cron.daily/apt-compat
/usr/lib/apt/apt.systemd.daily
/lib/systemd/system/apt-daily.service
/lib/systemd/system/apt-daily.timer
/lib/systemd/system/apt-daily-upgrade.service
/lib/systemd/system/apt-daily-upgrade.timer