systemd continua reiniciando gpg-agent, mesmo que gpg-agent.service e gpg-agent*.socket estejam mascarados

Objetivo: estou tentando matar o gpg-agent (no Debian 12, se isso importa) e mantê-lo morto para sempre.

À parte: Por quê?

Porque acabei de configurar o encaminhamento do agente GPG para meu servidor SSH. Tentei alguns guias sem sucesso até encontrar este , que sugere:

$ gpg-connect-agent KILLAGENT /bye

no host remoto. Com isso, o encaminhamento de agente GPG finalmente funciona...

... mas se eu fizer login de outro cliente (um que não encaminhe seu soquete gpg-agent para o host remoto), o systemd iniciará o gpg-agent novamente :

# Killing gpg-agent ---------------------------------------------
$ ssh <host>
$ gpg-connect-agent KILLAGENT /bye
OK closing connection
$ exit
logout
Connection to <host> closed

# Logging in with GPG socket forwarding: gpg-agent stays dead ---
$ ssh <host>
$ pgrep gpg-agent
# 👌 no output
$ gpg --list-secret-keys
/home/rlue/.config/gnupg/pubring.kbx
------------------------------------
sec   rsa3072/...     # 🎉 it works!
$ exit
logout
Connection to <host> closed

# Logging in from another client: gpg-agent is back -------------
$ ssh <host>
$ pgrep gpg-agent
17077  # 🤬 bad systemd!

Como você sabe que é systemd?

$ pstree --show-parents --show-pids $(pidof gpg-agent)
systemd(1)---systemd(663)---gpg-agent(17077)

O que é intrigante porque...

Tudo isso está acontecendo depois de executar:

$ systemctl --user mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh
.socket gpg-agent-extra.socket gpg-agent-browser.socket
$ systemctl --user daemon-reload

Eu até reiniciei (veja Uptimena seção final). Para referência, aqui está o status de todas as unidades do usuário systemd:

$ systemctl --user list-unit-files
UNIT FILE                                    STATE     PRESET
app-print\[email protected]        generated -
at-spi-dbus-bus.service                      static    -
dbus.service                                 static    -
dcim-transfer.photein.service                disabled  enabled
dcim-transfer.xferase.service                disabled  enabled
dconf.service                                static    -
dirmngr.service                              static    -
glib-pacrunner.service                       static    -
gnubiff.service                              enabled   enabled
gpg-agent.service                            masked    enabled
pipewire-pulse.service                       enabled   enabled
pipewire.service                             enabled   enabled
pk-debconf-helper.service                    static    -
shpool.service                               enabled   enabled
ssh-agent.service                            static    -
systemd-exit.service                         static    -
systemd-tmpfiles-clean.service               static    -
systemd-tmpfiles-setup.service               disabled  enabled
wireplumber.service                          enabled   enabled
[email protected]                         disabled  enabled
xdg-desktop-portal-gtk.service               static    -
xdg-desktop-portal-rewrite-launchers.service enabled   enabled
xdg-desktop-portal.service                   static    -
xdg-document-portal.service                  static    -
xdg-permission-store.service                 static    -
xferase.service                              disabled  enabled
app.slice                                    static    -
background.slice                             static    -
session.slice                                static    -
dbus.socket                                  static    -
dirmngr.socket                               enabled   enabled
gpg-agent-browser.socket                     masked    enabled
gpg-agent-extra.socket                       masked    enabled
gpg-agent-ssh.socket                         masked    enabled
gpg-agent.socket                             masked    enabled
pipewire-pulse.socket                        enabled   enabled
pipewire.socket                              enabled   enabled
pk-debconf-helper.socket                     enabled   enabled
shpool.socket                                enabled   enabled
basic.target                                 static    -
bluetooth.target                             static    -
default.target                               static    -
exit.target                                  static    -
graphical-session-pre.target                 static    -
graphical-session.target                     static    -
paths.target                                 static    -
printer.target                               static    -
shutdown.target                              static    -
smartcard.target                             static    -
sockets.target                               static    -
sound.target                                 static    -
timers.target                                static    -
xdg-desktop-autostart.target                 static    -
systemd-tmpfiles-clean.timer                 disabled  enabled

54 unit files listed.

O que dá? Qualquer indicação seria profundamente apreciada.

SO e outros detalhes

$ neofetch
       _,met$$$$$gg.          rlue@<host>
    ,g$$$$$$$$$$$$$$$P.       -------------
  ,g$$P"     """Y$$.".        OS: Debian GNU/Linux 12 (bookworm) x86_64
 ,$$P'              `$$$.     Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-5.2)
',$$P       ,ggs.     `$$b:   Kernel: 6.1.0-23-amd64
`d$$'     ,$P"'   .    $$$    Uptime: 38 mins
 $$P      d$'     ,    $$P    Packages: 1549 (dpkg)
 $$:      $$.   -    ,d$$'    Shell: bash 5.2.15
 $$;      Y$b._   _,d$P'      Resolution: 1024x768
 Y$$.    `.`"Y$$$$P"'         Terminal: /dev/pts/0
 `$$b      "-.__              CPU: Intel Xeon E5-2690 v2 (4) @ 2.999GHz
  `Y$$                        GPU: 00:02.0 Vendor 1234 Device 1111
   `Y$$.                      Memory: 3024MiB / 7940MiB
     `$$b.
       `Y$$b.
          `"Y$b._
              `"""