if you want to test these settings I can recommend `sudo systemd-run -p "DynamicUser=yes" -p "ProtectSystem=yes" -p "ProtectHome=yes" --shell` but be in a readable directory like /tmp or you receive an error.
Ooh, is this a good way to sandbox execs like ImageMagick or stuff like that?
Use firejail, it's a "one click" solution with prepackaged profiles.
https://github.com/netblue30/firejail/
It uses the same kernel knobs as systemd does, but is more user-friendly and has more features.
I use it for every application that handles data received from other machines: books, images, documents, whatever.