diff --git a/use/security.rst b/use/security.rst
index 17af0e1..c8bb01c 100755
--- a/use/security.rst
+++ b/use/security.rst
@@ -173,3 +173,14 @@ Again, if this is undesirable to you, you can do the following:
 Note that, when asking for help involving an error, you should enable verbose
 errors when providing logs (ie. reset these last values to their default),
 so it is easier to help you diagnose your problems.
+
+Finally, if you use :ref:`the systemd unit <supybot-botchk>`, you can add
+this to its ``[Service]]`` section:
+
+    SystemCallFilter=~@raw-io @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
+    ProtectSystem=strict
+    ProtectHome=read-only
+    ReadWritePaths=/home/bot/botname
+
+This might break some plugins, but most will work. You will get explicit
+errors if this is an issue, and you can always revert back.
diff --git a/use/supybot-botchk.rst b/use/supybot-botchk.rst
index 259472d..22576aa 100644
--- a/use/supybot-botchk.rst
+++ b/use/supybot-botchk.rst
@@ -33,11 +33,6 @@ following content replacing things were suitable::
     Restart=always
     User=BOTUSERNAME
     SyslogIdentifier=Supybot
-    # Uncomment these lines for extra security at the cost of breaking some third-party plugins:
-    # SystemCallFilter=~@raw-io @clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io
-    # ProtectSystem=strict
-    # ProtectHome=read-only
-    # ReadWritePaths=/home/bot/botname
 
     [Install]
     WantedBy=multi-user.target