fix(linux): drop risky sandbox directives that break Rust network daemons

Integration test failed with exit 7 on curl to /health after a successful
install — service started but never listened. The likely culprits are
MemoryDenyWriteExecute (breaks jemalloc/some crypto), SystemCallFilter
~@privileged @resources (blocks setrlimit and friends tokio may use),
and RestrictNamespaces/LockPersonality (occasional foot-guns).

Pull them and keep a conservative hardening set that's well-tested with
Rust network services: no-new-privs, protect-system/home, private tmp
and devices, protect-kernel-*, restrict-realtime/suid/address-families.
Layer the aggressive bits back in follow-up PRs once tested individually.

numa.service

@@ -22,7 +22,9 @@ StateDirectoryMode=0750
 ConfigurationDirectory=numa
 ConfigurationDirectoryMode=0755
 
-# Sandboxing
+# Sandboxing — conservative set known to work with Rust network daemons.
+# Aggressive hardening (MemoryDenyWriteExecute, SystemCallFilter, seccomp
+# allow-lists) can be layered on once tested in isolation.
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
@@ -31,14 +33,8 @@ PrivateDevices=true
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectControlGroups=true
-LockPersonality=true
-MemoryDenyWriteExecute=true
-RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources
 # AF_NETLINK for interface enumeration on network changes
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK