diff --git a/hosts/common/programs/seatd.nix b/hosts/common/programs/seatd.nix
index 30e12a599..001e92bf8 100644
--- a/hosts/common/programs/seatd.nix
+++ b/hosts/common/programs/seatd.nix
@@ -20,7 +20,7 @@ lib.mkMerge [
         # "sys_admin"
         "sys_tty_config"
       ];
-      sandbox.keepUsers = true;
+      sandbox.tryKeepUsers = true;
       sandbox.extraPaths = [
         "/dev"  #< TODO: this can be removed if i have seatd restart on client error such that seatd can discover devices as they appear
         # "/dev/dri"
diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index 21c48ab89..18109bd82 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -77,7 +77,7 @@ let
             capabilities
             extraConfig
             keepPids
-            keepUsers
+            tryKeepUsers
             method
             whitelistPwd
           ;
@@ -370,7 +370,7 @@ let
           this is usually wanted above just `keepPids`: it's rare to want to keep your pidspace but not access /proc.
         '';
       };
-      sandbox.keepUsers = mkOption {
+      sandbox.tryKeepUsers = mkOption {
         type = types.bool;
         default = false;
         description = ''
diff --git a/modules/programs/make-sandbox-args.nix b/modules/programs/make-sandbox-args.nix
index ab9a286de..f31d5a093 100644
--- a/modules/programs/make-sandbox-args.nix
+++ b/modules/programs/make-sandbox-args.nix
@@ -8,7 +8,7 @@
   capabilities ? [],
   dns ? null,
   keepPids ? false,
-  keepUsers ? false,
+  tryKeepUsers ? false,
   netDev ? null,
   netGateway ? null,
   whitelistPwd ? false,
@@ -20,7 +20,7 @@ let
     capability = cap: [ "--sanebox-cap" cap ];
     dns = addr: [ "--sanebox-dns" addr ];
     keepPids = [ "--sanebox-keep-namespace" "pid" ];
-    keepUsers = [ "--sanebox-keep-namespace" "user" ];
+    tryKeepUsers = [ "--sanebox-keep-namespace" "user" ];
     method = method: [ "--sanebox-method" method ];
     netDev = netDev: [ "--sanebox-net-dev" netDev ];
     netGateway = netGateway: [ "--sanebox-net-gateway" netGateway ];
@@ -54,6 +54,7 @@ let
     path = p: [ "--bunpen-path" p ];
     path-home = p: [ "--bunpen-home-path" p ];
     path-run = p: [ "--bunpen-run-path" p ];
+    tryKeepUsers = [ "--bunpen-try-keep-users" ];
     whitelistPwd = [ "--bunpen-path" "." ];
   };
   gen = if method == "bunpen" then
@@ -79,6 +80,6 @@ in
   ++ capabilityFlags
   ++ lib.optionals (autodetectCliPaths != null) (gen.autodetectCliPaths autodetectCliPaths)
   ++ lib.optionals keepPids gen.keepPids
-  ++ lib.optionals keepUsers gen.keepUsers
+  ++ lib.optionals tryKeepUsers gen.tryKeepUsers
   ++ lib.optionals whitelistPwd gen.whitelistPwd
   ++ extraConfig