In case anyone's interested, I recently added the reference links I used to the README for my practical example of how to write a maximally sandboxed systemd service when you still need to invoke a subprocess from the host system's repositories.
https://github.com/ssokolow/fan_remote