Writes NoNewPrivileges=yes, preventing the service and its child processes from gaining additional privileges.

This is a low-risk hardening option for many services. Avoid it only when the application intentionally relies on setuid helpers or other privilege elevation after startup.