Sandboxing in systemd? I would’ve shown my (somewhat manual) method but then I was strolling through the GitHub and saw shh (systemd hardening helper). It uses strace to generate suggestions. You’ll need to be extremely careful, playing inside a sandbox summons debugging hell. I tried it briefly.