diff --git a/TODO.md b/TODO.md
index d0ad9a01..41a2dceb 100644
--- a/TODO.md
+++ b/TODO.md
@@ -34,6 +34,8 @@
 - validate duplicity backups!
 - encrypt more ~ dirs (~/archives, ~/records, ..?)
   - best to do this after i know for sure i have good backups
+- /mnt/desko/home, etc, shouldn't include secrets (~/private)
+  - 95% of its use is for remote media access and stuff which isn't in VCS (~/records)
 - port all sane.programs to be sandboxed
   - enforce that all `environment.packages` has a sandbox profile (or explicitly opts out)
   - integrate `xdg-open` with the sandbox profiles
diff --git a/hosts/common/programs/nautilus.nix b/hosts/common/programs/nautilus.nix
index 5b8aa2b0..5c4af912 100644
--- a/hosts/common/programs/nautilus.nix
+++ b/hosts/common/programs/nautilus.nix
@@ -9,6 +9,42 @@
       ]);
     });
 
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "inplace";
+    sandbox.whitelistDbus = [ "user" ];  # for portals launching apps
+    sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      # grant access to pretty much everything, except for secret keys.
+      # ".cache"
+      # ".config"
+      # ".local"
+      "archive"
+      "Books"
+      "dev"
+      "knowledge"
+      "Music"
+      "nixos"
+      "Pictures"
+      # "private"  #< explicitly NOT
+      "records"
+      "ref"
+      "tmp"
+      "use"
+      "Videos"
+    ];
+    sandbox.extraPaths = [
+      "boot"
+      "mnt"
+      # "nix"
+      "tmp"
+      "var"
+    ];
+    sandbox.extraRuntimePaths = [
+      # not sure if these are actually necessary
+      "gvfs"
+      "gvfsd"
+    ];
+
     mime.associations = {
       "inode/directory" = "org.gnome.Nautilus.desktop";
     };
diff --git a/hosts/common/programs/waybar/default.nix b/hosts/common/programs/waybar/default.nix
index 8134fbc0..3d9ed494 100644
--- a/hosts/common/programs/waybar/default.nix
+++ b/hosts/common/programs/waybar/default.nix
@@ -53,6 +53,11 @@ in
     sandbox.whitelistDbus = [ "user" ];
     sandbox.whitelistWayland = true;
     sandbox.extraRuntimePaths = [ "/" ];  #< needs to talk to sway IPC. TODO: give the sway IPC a predictable name.
+    sandbox.extraPaths = [
+      # for the battery indicator
+      "/sys/class/power_supply"
+      "/sys/devices"
+    ];
 
     fs.".config/waybar/config".symlink.target =
       (pkgs.formats.json {}).generate "waybar-config.json" [