Comment by fugue88

I agree with what you wrote, and add that you should make sure that your service's executables and scripts also should not be owned by the user they run as.

It's unfortunately very common to install, for example, a project as the "ubuntu" user and also run it as the "ubuntu" user. But this arrangement effectively turns any kind of file-overwrite vulnerability into a remote-execution vulnerability.

Owning executables as root:root, perms 0755, and running as a separate unprivileged user, is a standard approach.