Comment by CoolCold

I have much more peace of mind when it's not in chroot but even better inside systemd unit and all that ReadonlyPath and capabilities applied. In the ideal case network access beyond localhost and may be db is denied for greater safety