Set capabilities for systemd service

CapabilityBoundingSet - limits capabilities the process is allowed to obtain. It doesn't grant any.
Example:
if a unit has the following,

CapabilityBoundingSet=CAP_A CAP_B
CapabilityBoundingSet=CAP_B CAP_C

then CAP_A, CAP_B, and CAP_C are set.
If the second line is prefixed with ~, e.g.,

CapabilityBoundingSet=CAP_A CAP_B
CapabilityBoundingSet=~CAP_B CAP_C

then, only CAP_A is set.

AmbientCapabilities - grants capabilities that the process normally wouldn't have started with.
Controls which capabilities to include in the ambient capability set for the executed process. Takes a whitespace-separated list of capability names. This option may appear more than once, in which case the ambient capability sets are merged.
If the list of capabilities is prefixed with ~, all but the listed capabilities will be included, the effect of the assignment inverted.
If the empty string is assigned to this option, the ambient capability set is reset to the empty capability set, and all prior settings have no effect. If set to ~ (without any further argument), the ambient capability set is reset to the full set of available capabilities, also undoing any previous settings.