Today I learned that unprivileged users can run "systemctl show servicename" to see all the environment variables set in the .service file.
This means if someone sets their AWS_SECRET_ACCESS_KEY in there (or any other secret), it can be read by an attacker even if they don't have read privileges to read the .service file.
For defenders, use EnvironmentFile= instead of Environment= and as long as your environment file has the correct privileges, you will be fine on this front.
I don't like Systemd but I find it hard to find a distro for desktop/laptop that is not Systemd as I find many of my options there to be a PITA to work with.
I've used enough Debian based; Arch based; and everything in between to not care much. Just work is all I ask and maybe to not make me spend 10 minutes typing in a terminal just to raise your nose in the air instead of spending 30 seconds in a GUI (looking at you Artix).
I'm a Manjaro/Garuda type of Arch user. Basically dumbed down and dirt easy. The installer is very easy for Artix but once installed it was way too terminal based for my likings. Not a knock against them, just not for me. One day.
Linux geeks doing what Linux geeks do...