diff --git a/hosts/common/programs/mpv.nix b/hosts/common/programs/mpv.nix
index de7af1fa..961428ee 100644
--- a/hosts/common/programs/mpv.nix
+++ b/hosts/common/programs/mpv.nix
@@ -65,9 +65,10 @@ in
     sandbox.method = "bwrap";
     sandbox.autodetectCliPaths = true;
     sandbox.net = "all";
-    sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
-    sandbox.whitelistDbus = true;  #< mpris
     sandbox.whitelistAudio = true;
+    sandbox.whitelistDbus = true;  #< mpris
+    sandbox.whitelistDri = true;  #< mpv has excellent fallbacks to non-DRI, but DRI offers a good 30%-50% reduced CPU
+    sandbox.whitelistWayland = true;
     sandbox.extraHomePaths = [
       ".config/mpv"  #< else mpris plugin crashes on launch
       # it's common for album (or audiobook, podcast) images/lyrics/metadata to live adjacent to the primary file.
diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index fb385847..b80d0cd7 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -411,7 +411,7 @@ let
       };
       sandbox.extraRuntimePaths = mkOption {
         type = types.listOf types.str;
-        default = [ "/" ];  #< TODO: reduce to just what's needed
+        default = [ ];
         description = ''
           additional $XDG_RUNTIME_DIR-relative paths to bind into the sandbox.
           e.g. `[ "bus" "wayland-1" ]` to bind the dbus and wayland sockets.