I stopped a service. systemctl stop foo. A few seconds later it was running again. Stopped it again, watched it sit dead for a beat, then come back. I'll admit I started to take it personally.
The instinct is to blame a restart policy, so I checked. Restart=on-failure, but the unit wasn't failing, it was being asked to start. That's a different thing entirely, and the distinction is the whole answer.
The culprit was a foo.socket unit. Socket activation means systemd holds the listening socket open itself, and the moment anything connects, it starts the service to handle the request. Something on the box was polling that port, so every time I killed the service, the next connection woke it straight back up. Stopping the service without stopping the socket is like switching off a light while leaving the motion sensor armed.
The fix was to stop the socket too:
systemctl stop foo.socket foo.service
Or, to make it stay gone, systemctl mask foo.socket so nothing can pull it back. Obvious in hindsight. Most things are. I'd just never had socket activation bite me before, so it wasn't in my mental list of reasons a stopped service starts itself, and now it firmly is.