diff --git a/deploy/install/restic-manager-agent.service b/deploy/install/restic-manager-agent.service
index e253ccc..01931e1 100644
--- a/deploy/install/restic-manager-agent.service
+++ b/deploy/install/restic-manager-agent.service
@@ -53,8 +53,11 @@ RestrictNamespaces=true
 LockPersonality=true
 MemoryDenyWriteExecute=true
 SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@privileged @resources @reboot @swap @module @raw-io
+# (No SystemCallFilter — the cap drop above already constrains what
+# root can do; an allow-list filter killed restic with SIGSYS during
+# init because @system-service excludes some of the syscalls Go's
+# runtime + restic's file scanner reach for. The Protect*/Restrict*
+# toggles still cover network / kernel / mount / namespace.)
 
 [Install]
 WantedBy=multi-user.target