Why should you allow all possible system calls from your application when you know that you only need some? seccomp is one answer for that problem.