diff --git a/NEWS b/NEWS
index bbcb209fc..48f39f135 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,5 @@
 1.5.19.dev0
+ * Update sample systemd service file with more granular read-only filesystem settings.
  * Move Gitea and GitHub hosting from a personal namespace to an organization for better
    collaboration with related projects.
  * 1k ★s on GitHub!
diff --git a/sample/systemd/borgmatic.service b/sample/systemd/borgmatic.service
index b6adda964..d025785b9 100644
--- a/sample/systemd/borgmatic.service
+++ b/sample/systemd/borgmatic.service
@@ -32,10 +32,10 @@ RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallErrorNumber=EPERM
-# Restrict write access
-# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
-# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
-# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
+# To restrict write access further, change "ProtectSystem" to "strict" and uncomment
+# "ReadWritePaths", "ReadOnlyPaths", "ProtectHome", and "BindPaths". Then add any local repository
+# paths to the list of "ReadWritePaths" and local backup source paths to "ReadOnlyPaths". This
+# leaves most of the filesystem read-only to borgmatic.
 ProtectSystem=full
 # ReadWritePaths=-/mnt/my_backup_drive
 # ReadOnlyPaths=-/var/lib/my_backup_source