Apply systemd sandboxing by default to some services

Development
81
82
83
84

Would dropping SystemCallArchitectures=native simplify syscall filter?