Add comment about MemoryDenyWriteExecute value and the tradeoffs thereof.

sample/systemd/borgmatic.service

@@ -11,6 +11,8 @@ Type=oneshot
 # For more details about this settings check the systemd manuals
 # https://www.freedesktop.org/software/systemd/man/systemd.exec.html
 LockPersonality=true
+# Certain borgmatic features like Healthchecks integration need MemoryDenyWriteExecute to be off.
+# But you can try setting it to "yes" for improved security if you don't use those features.
 MemoryDenyWriteExecute=no
 NoNewPrivileges=yes
 PrivateDevices=yes