systemd unit file could use more filesystem namespace hardening options
systemd has nice features to restrict what part of the filesystem a service has read-only or read-write access to (ReadOnlyDirectories, ReadWriteDirectories) that we could use. Also InaccessibleDirectories could be made a bit more restrictive.
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information