Sandboxing in systemd? I would’ve shown my (somewhat manual) method but then I was strolling through the GitHub and saw shh (systemd hardening helper). It uses strace to generate suggestions. You’ll need to be extremely careful, playing inside a sandbox summons debugging hell. I tried it briefly.
Another wandering soul whispering into the void. If you are looking for my blog you are in the wrong place. The profile and header pictures are brought to you by cdd20.