diff --git a/modules/services/espanso.nix b/modules/services/espanso.nix
index f6e27e796..b9528b8ef 100644
--- a/modules/services/espanso.nix
+++ b/modules/services/espanso.nix
@@ -124,6 +124,15 @@ in {
         Type = "exec";
         ExecStart = "${cfg.package}/bin/espanso daemon";
         Restart = "on-failure";
+
+        # Sandboxing.
+        LockPersonality = true;
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateUsers = true;
+        RestrictNamespaces = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
       };
       Install = { WantedBy = [ "default.target" ]; };
     };
diff --git a/tests/modules/services/espanso/basic-configuration.service b/tests/modules/services/espanso/basic-configuration.service
index 593196e59..822459e96 100644
--- a/tests/modules/services/espanso/basic-configuration.service
+++ b/tests/modules/services/espanso/basic-configuration.service
@@ -3,7 +3,14 @@ WantedBy=default.target
 
 [Service]
 ExecStart=@espanso@/bin/espanso daemon
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateUsers=true
 Restart=on-failure
+RestrictNamespaces=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 Type=exec
 
 [Unit]