Since we're now doing important operations in the tmp directory, we should re-enable systemd's PrivateTmp=true for extra hardening. I had disabled it because the ssh-agent socket is in /tmp.
Probably if we relocate the ssh-agent socket so its not in /tmp (I think it's supposed to be in /run anyways) then we should be able to do this with no other issues.