How to whitelist directories for Units in systemd

ReadWritePaths and its ilk are only really useful when used alongside options that blacklist certain paths. If you know for a fact that your application should only be able to access certain paths, you can do some combination of the following:

• Set ProtectSystem=strict, and whitelist particular directories for writing with ReadWritePaths.
• Set ReadOnlyPaths, and whitelist particular directories with ReadWritePaths. If doing this with /, it does a superset of what ProtectSystem does (it also restricts /dev, /proc, and /sys, which you may not want). You can also use PrivateDevices, ProtectKernelTunables, and ProtectControlGroups to protect these directories.