I love how easy it is to create a completely isolated daemons with systemd. In a single .service file one can define a daemon that has a very limited view to the filesystem, can only open specific devices, uses randomized UIDs, and has limited capabilities: https://www.freedesktop.org/software/systemd/man/latest/syst...

It is way simpler and cleaner than Docker/Podman IMHO.