yes, that's what I figured out by now. I always assumed that DevicePolicy=closed DeviceAllow=/dev/sda rw would result in other devices not being available, similarly to PrivateDevices=true. But they're just not writeable. That confused me when I created a reverse shell from a service to be able to inspect it. PrivateDevices=true must not be used in conjunction with the other options, as it's intended as a one-stop flag for services that don't need any devices. So the settings in c10 are the correct settings