Without this restriction system users can start processes with root privileges: $ sudo -u mail systemd-run --pipe -q id uid=0(root) gid=0(root) groups=0(root)
@@ -1,5 +1,5 @@
[Qubes allow all]
-Identity=*
+Identity=unix-group:qubes
Action=*
ResultAny=yes
ResultInactive=yes