sandobxing with systemd PrivateNetwork - how to enable X11 connection?

The goal is to create a generic sandboxing systemd .conf file to be included as a snippet to application unit files in order to harden/sandbox them. One major requirement is to block the application all network access to the outside world, and preferably also locally. One option is setting [PrivateNetwork=true](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=) , but this breaks the graphical applications that no longer are able to connect to xserver:

Warning: [qt.qpa.xcb] QtWarning: could not connect to display :0
Warning: [qt.qpa.plugin] QtWarning: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin

Is there a way to use PrivateNetwork with GUI programs? --- As an alternative I'm considering following two settings:

# restricts the network interfaces that processes of this unit can use:
RestrictNetworkInterfaces=lo
# block all network traffic, including localhost:
IPAddressDeny=any

Is this alternative good enough for my requirement? Is PrivateNetwork still even required with these settings?