crio will change the default value of seccomp_use_default_when_empty from false to true in crio 1.24 and later versions.
so set seccomp_use_default_when_empty  = true in the template.
In order to not break current clusters, for those upgrade users, create a machine-config to have drop-in crio.conf file with seccomp_use_default_when_empty = false. So seccomp_use_default_when_empty change can be an opt-in for upgraded users, users will have the option to delete the MC associated with this file when they are ready to
consume the seccomp_use_default_when_empty = true for their workload