Move systemd unit hardening from 'supybot-botchk' to 'security'

'supybot-botchk' is meant for beginners, they don't need/want to deal with this.

use/security.rst

@@ -173,3 +173,14 @@ Again, if this is undesirable to you, you can do the following:
 Note that, when asking for help involving an error, you should enable verbose
 errors when providing logs (ie. reset these last values to their default),
 so it is easier to help you diagnose your problems.
+
+Finally, if you use :ref:`the systemd unit <supybot-botchk>`, you can add
+this to its ``[Service]]`` section:
+
+    SystemCallFilter=~@raw-io @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
+    ProtectSystem=strict
+    ProtectHome=read-only
+    ReadWritePaths=/home/bot/botname
+
+This might break some plugins, but most will work. You will get explicit
+errors if this is an issue, and you can always revert back.

use/supybot-botchk.rst

@@ -33,11 +33,6 @@ following content replacing things were suitable::
     Restart=always
     User=BOTUSERNAME
     SyslogIdentifier=Supybot
-    # Uncomment these lines for extra security at the cost of breaking some third-party plugins:
-    # SystemCallFilter=~@raw-io @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
-    # ProtectSystem=strict
-    # ProtectHome=read-only
-    # ReadWritePaths=/home/bot/botname
 
     [Install]
     WantedBy=multi-user.target