diff --git a/nixos/modules/services/security/pocket-id.nix b/nixos/modules/services/security/pocket-id.nix
index 62259a7959a4..c3a93869dd1e 100644
--- a/nixos/modules/services/security/pocket-id.nix
+++ b/nixos/modules/services/security/pocket-id.nix
@@ -174,12 +174,12 @@ in
           CapabilityBoundingSet = "";
           DeviceAllow = "";
           DevicePolicy = "closed";
-          #IPAddressDeny = "any"; # communicates with the frontend
+          #IPAddressDeny = "any"; # provides the service through network
           LockPersonality = true;
           MemoryDenyWriteExecute = true;
           NoNewPrivileges = true;
           PrivateDevices = true;
-          PrivateNetwork = false; # communicates with the frontend
+          PrivateNetwork = false; # provides the service through network
           PrivateTmp = true;
           PrivateUsers = true;
           ProcSubset = "pid";
@@ -191,7 +191,8 @@ in
           ProtectKernelModules = true;
           ProtectKernelTunables = true;
           ProtectProc = "invisible";
-          ProtectSystem = "full"; # needs to write in cfg.dataDir
+          ProtectSystem = "strict";
+          ReadWritePaths = [ cfg.dataDir ];
           RemoveIPC = true;
           RestrictAddressFamilies = [
             "AF_INET"
@@ -212,7 +213,7 @@ in
             "@privileged"
             "@raw-io"
             "@reboot"
-            #"@resources" # vm test segfaults
+            "@resources"
             "@swap"
           ];
           UMask = "0077";