Some remarks after I looked somewhat deeper into this:
1. Masking a service is a practice which is also used to "quaratine" non-critical services in case of security vulnerabilities, until a patch is out. That should be good enough for now.
2. At the time of this writing, SSSD has 32 unfixed bugs:
But as far as I could see, they only matter when actually using the package.
3. How did SSSD ever get on my machine? It was introduced with Ubuntu MATE 22.04 and during a clean install, the installer asks you whether you want a setup with or without support for Active Directory.
But if you do an upgrade from 20 to 22, there is no such option. I just upgraded a VM from 20 to 22 to make sure: It just installs and you end up with a network service that's useless for pure home users. (And to make matters worse: One designed by Microsoft. 
) Unless I had investigated what these errors are, I would not even know that I have it.
4. Ironically enough, the fix which I had found (see Post-1) makes things worse. After the upgrade, a configuration file is missing and therefore
systemctl status sssd
shows SSSD as "Dead (inactive)". The fix puts the configuration file in the right place and then it IS active. Masking SSSD abolishes this by making it unreachable.