diff --git a/hosts/common/programs/fontconfig.nix b/hosts/common/programs/fontconfig.nix
index 3d040491..2a2d26f6 100644
--- a/hosts/common/programs/fontconfig.nix
+++ b/hosts/common/programs/fontconfig.nix
@@ -28,6 +28,17 @@ let
     wantedNerdfonts;
 in
 {
+  sane.programs.fontconfig = {
+    sandbox.method = "bwrap";  # TODO:sandbox: untested
+    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.autodetectCliPaths = "existingFileOrParent";  #< this might be overkill; or, how many programs reference fontconfig internally?
+
+    persist.byStore.plaintext = [
+      # < 10 MiB
+      ".cache/fontconfig"
+    ];
+  };
+
   fonts = lib.mkIf config.sane.programs.fontconfig.enabled {
     fontconfig.enable = true;
     fontconfig.defaultFonts = {
diff --git a/hosts/common/users/colin.nix b/hosts/common/users/colin.nix
index 646cc898..b0789c1c 100644
--- a/hosts/common/users/colin.nix
+++ b/hosts/common/users/colin.nix
@@ -122,9 +122,8 @@
 
       # these are persisted simply to save on RAM.
       # ~/.cache/nix can become several GB.
-      # fontconfig and mesa_shader_cache are < 10 MB.
+      # mesa_shader_cache is < 10 MB.
       # TODO: integrate with sane.programs.sandbox?
-      ".cache/fontconfig"
       ".cache/mesa_shader_cache"
       ".cache/nix"