The feature implemented in #164 doesn't appear to work in Fedora's deployment.

It's not entirely clear why. The systemd unit ships with a syscall filter, but it's @system-service which includes the @file-system group, which has setxattr:

❯ systemd-analyze syscall-filter @file-system | grep setxattr
    fsetxattr
    lsetxattr
    setxattr
    setxattrat

There's no permission denied error either. It seems to operate normally, but doesn't have the expected ACLs.