diff --git a/modules/programs/sane-sandboxed b/modules/programs/sane-sandboxed
index 3cb956ab..65e46e11 100644
--- a/modules/programs/sane-sandboxed
+++ b/modules/programs/sane-sandboxed
@@ -17,6 +17,7 @@ firejailFlags=()
 bwrapFlags=()
 landlockPaths=
 capshCapsArg=
+extraEnv=()
 
 enableDebug() {
   isDebug=1
@@ -193,13 +194,10 @@ parseArgs() {
         ;;
       (--sane-sandbox-portal)
         # instruct glib/gtk apps to perform actions such as opening external files via dbus calls to org.freedesktop.portal.*.
-        # note that this env var primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
+        # note that GIO_USE_PORTALS primarily acts as a *fallback*: apps only open files via the portal if they don't know how to themelves.
         # this switch is typically accompanied by removing all MIME associations from the app's view, then.
-        export GIO_USE_PORTALS=1
-        # old name, beginning to be phased out as of 2023-10-02
-        export GTK_USE_PORTAL=1
-        # make `xdg-open` just forward to the portal
-        export NIXOS_XDG_OPEN_USE_PORTAL=1
+        # GTK_USE_PORTALS is the old name, beginning to be phased out as of 2023-10-02
+        extraEnv+=("GIO_USE_PORTALS=1" "GTK_USE_PORTAL=1" "NIXOS_XDG_OPEN_USE_PORTAL=1")
         ;;
       (--sane-sandbox-dns)
         # N.B.: these named temporary variables ensure that "set -x" causes $1 to be printed
@@ -295,7 +293,7 @@ firejailExec() {
   fi
   PATH="$PATH:@firejail@/bin" exec \
     firejail "${firejailFlags[@]}" -- \
-    "${cliArgs[@]}"
+    env "${extraEnv[@]}" "${cliArgs[@]}"
 }
 
 
@@ -340,7 +338,7 @@ bwrapExec() {
   # --unshare-user (implicit to every non-suid call to bwrap)
   PATH="$PATH:@bubblewrap@/bin" exec \
     bwrap --unshare-all --dev /dev --proc /proc --tmpfs /tmp "${bwrapFlags[@]}" -- \
-    "${cliArgs[@]}"
+    env "${extraEnv[@]}" "${cliArgs[@]}"
 }
 
 
@@ -399,7 +397,7 @@ landlockExec() {
   # invoke the actual user command.
   PATH="$PATH:@landlockSandboxer@/bin:@libcap@/bin" LL_FS_RO= LL_FS_RW="$landlockPaths" exec \
     sandboxer \
-    capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}"
+    capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
 }
 
 
@@ -434,7 +432,7 @@ capshonlyIngestCapability() {
 
 capshonlyExec() {
   PATH="$PATH:@libcap@/bin" exec \
-    capsh "--caps=$capshCapsArg" --shell="${cliArgs[0]}" -- "${cliArgs[@]:1}"
+    capsh "--caps=$capshCapsArg" --shell="/usr/bin/env" -- "${extraEnv[@]}" "${cliArgs[@]}"
 }