What does it mean that a systemd service is exposed or unsafe?

Running systemd-analyze security produces a list of systemd services which are assessed to be OK, MEDIUM, EXPOSED or UNSAFE.

systemd-analyze [OPTIONS…] COMMAND …

Profile systemd, show unit dependencies, check unit files.

security [UNIT…] Analyze security of unit

I wonder what it means for a service to be exposed or unsafe.
What does it entail for overall security of the system? And are there measures to be taken to make those services secure?

soystemd is unsafe!!!111 :male_detective:


Thanks for the links!
I did a search before posting and skimmed through the AskUbuntu post but it is a bit above my paygrade how to go about in practice to have more restrict sandboxing for the services without breaking things :blush:

Perhaps I should be moving the thread to #arch-based-related-questions:newbie >> Done!

Here are two more from Redhat: