diff --git a/hosts/common/programs/assorted.nix b/hosts/common/programs/assorted.nix
index 55671e2c1..cc43e8d89 100644
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@@ -213,7 +213,7 @@ in
     blanket.sandbox.whitelistWayland = true;
 
     blueberry.sandbox.method = "bwrap";
-    blueberry.sandbox.wrapperType = "wrappedDerivation";
+    blueberry.sandbox.wrapperType = "inplace";  # /etc/xdg/autostart hardcodes paths
     blueberry.sandbox.whitelistWayland = true;
     blueberry.sandbox.extraPaths = [
       "/dev/rfkill"
@@ -448,7 +448,7 @@ in
 
     # gnome-disks
     "gnome.gnome-disk-utility".sandbox.method = "bwrap";
-    "gnome.gnome-disk-utility".sandbox.wrapperType = "wrappedDerivation";
+    "gnome.gnome-disk-utility".sandbox.wrapperType = "inplace";  # /etc/xdg/autostart
     "gnome.gnome-disk-utility".sandbox.whitelistDbus = [ "system" ];
     "gnome.gnome-disk-utility".sandbox.whitelistWayland = true;
 
@@ -820,7 +820,7 @@ in
 
     # use like `sudo smartctl /dev/sda -a`
     smartmontools.sandbox.method = "landlock";
-    smartmontools.sandbox.wrapperType = "wrappedDerivation";
+    smartmontools.sandbox.wrapperType = "inplace";  # ships a script in /etc that calls into its bin
     smartmontools.sandbox.autodetectCliPaths = "existing";
     smartmontools.sandbox.capabilities = [ "sys_rawio" ];
 
diff --git a/hosts/common/programs/imagemagick.nix b/hosts/common/programs/imagemagick.nix
index a94a10093..9210ce9d7 100644
--- a/hosts/common/programs/imagemagick.nix
+++ b/hosts/common/programs/imagemagick.nix
@@ -2,7 +2,7 @@
 {
   sane.programs.imagemagick = {
     sandbox.method = "bwrap";
-    sandbox.wrapperType = "wrappedDerivation";
+    sandbox.wrapperType = "inplace";  # /etc/ImageMagick-7/delegates.xml refers to bins by absolute path
     sandbox.whitelistPwd = true;
     sandbox.autodetectCliPaths = "existingOrParent";  #< arg formatting is complicated enough that this won't always work.
     packageUnwrapped = pkgs.imagemagick.override {
diff --git a/modules/programs/make-sandboxed.nix b/modules/programs/make-sandboxed.nix
index 629ec3733..ed5fd4b01 100644
--- a/modules/programs/make-sandboxed.nix
+++ b/modules/programs/make-sandboxed.nix
@@ -218,10 +218,15 @@ let
     sandboxedWithoutFixedRefs = (runCommand "${pkgName}-sandboxed-non-binary" {} ''
       set -e
       mkdir "$out"
-      if [ -e "${unsandboxed}/share" ]; then
-        mkdir "$out/share"
-        ${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/share" "$out/share"
-      fi
+      # link in a limited subset of the directories.
+      # lib/ is the primary one to avoid, because of shared objects that would be unsandboxed if dlopen'd.
+      # all other directories are safe-ish, because they won't end up on PATH or LDPATH.
+      for dir in etc share; do
+        if [ -e "${unsandboxed}/$dir" ]; then
+          mkdir "$out/$dir"
+          ${buildPackages.xorg.lndir}/bin/lndir "${unsandboxed}/$dir" "$out/$dir"
+        fi
+      done
       runHook postInstall
     '').overrideAttrs (_: {
       # specifically for meta.priority, though it shouldn't actually matter here.