diff --git a/modules/persist/stores/crypt.nix b/modules/persist/stores/crypt.nix
index 2ed1bb2f..85f137ef 100644
--- a/modules/persist/stores/crypt.nix
+++ b/modules/persist/stores/crypt.nix
@@ -22,8 +22,8 @@ lib.mkIf config.sane.persist.enable
     fsType = "fuse.gocryptfs";
     options = [
       "nodev"
-      "nosuid"
-      "allow_other"
+      # "nosuid"  # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also, nosuid is default)
+      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
       "passfile=${key}"
       # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"
     ];
diff --git a/modules/persist/stores/private.nix b/modules/persist/stores/private.nix
index 4c890c36..c71dc1d0 100644
--- a/modules/persist/stores/private.nix
+++ b/modules/persist/stores/private.nix
@@ -31,10 +31,11 @@ lib.mkIf config.sane.persist.enable
     options = [
       "noauto"  # don't try to mount, until the user logs in!
       "nofail"
-      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
       "nodev"
-      "nosuid"
-      "quiet"
+      # "noexec"  # handful of scripts in ~/private/knowledge that are executable
+      # "nosuid"  # "Unknown parameter 'nosuid'". gocryptfs requires this be passed as `-ko nosuid` (also nosuid is default)
+      "allow_other"  # root ends up being the user that mounts this, so need to make it visible to other users.
+      # "quiet"
       # "defaults"  # "unknown flag: --defaults. Try 'gocryptfs -help'"
     ];
     noCheck = true;