Yeah, this is really what it boils down to: the goal with the systemd
directives is to make things easy to grok and easy to change. I can
probably explain to most Linux admins who have administered a current
Fedora in 5min what ProtectSystem=strict and
ReadWritePaths=/var/lib/myservice does, and why it's a good thing. And

One thing that SELinux does right is auditing---access violations are logged, so that there are no silent mysterious failures (well, mumble,  mumble, maybe sometimes, you know what I mean). Also, SELinux allows debugging in the permissive mode that just logs without actually blocking access. What happens after systemd directives result in denials?

BTW, it's ProtectSystem=true/false/full (not strict), right?