How does this compare to just using systemd's sandboxing? ProtectSystem=strict, PrivateDevices, RestrictNamespaces etc. give you a pretty solid sandbox for any long-running daemon without extra tooling. Genuine question — I've been relying on systemd hardening for my own projects and wondering what I'm missing.