diff --git a/modules/programs/default.nix b/modules/programs/default.nix
index 9050d5fd..92f4d0de 100644
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -430,20 +430,21 @@ let
     system.checks = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
       p.package.passthru.checkSandboxed
     ];
-    sane.sandboxProfiles = lib.optionals (p.enabled && p.sandbox.enable && p.sandbox.method != null && p.package != null) [
-      p.package.passthru.sandboxProfiles
-    ];
 
     # conditionally add to system PATH and env
     environment = lib.optionalAttrs (p.enabled && p.enableFor.system) {
-      systemPackages = lib.optional (p.package != null) p.package;
+      systemPackages = lib.optionals (p.package != null) (
+        [ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
+      );
       # sessionVariables are set by PAM, as opposed to environment.variables which goes in /etc/profile
       sessionVariables = p.env;
     };
 
     # conditionally add to user(s) PATH
     users.users = lib.mapAttrs (user: en: {
-      packages = lib.optional (p.package != null && en && p.enabled) p.package;
+      packages = lib.optionals (p.package != null && en && p.enabled) (
+        [ p.package ] ++ lib.optional (p.sandbox.enable && p.sandbox.method != null) p.package.passthru.sandboxProfiles
+      );
     }) p.enableFor.user;
 
     # conditionally persist relevant user dirs and create files
@@ -529,14 +530,6 @@ in
         exposed to facilitate debugging, e.g. `nix build '.#hostConfigs.desko.sane.sandboxHelper'`
       '';
     };
-    sane.sandboxProfiles = mkOption {
-      type = types.listOf types.package;
-      default = [];
-      description = ''
-        packages with /share/sane-sandbox profiles indicating how to sandbox their associated package.
-        this is mostly an internal implementation detail.
-      '';
-    };
     sane.strictSandboxing = mkOption {
       type = types.enum [ false "warn" "assert" ];
       default = "warn";
@@ -553,7 +546,6 @@ in
         environment.systemPackages = f.environment.systemPackages;
         environment.sessionVariables = f.environment.sessionVariables;
         users.users = f.users.users;
-        sane.sandboxProfiles = f.sane.sandboxProfiles;
         sane.users = f.sane.users;
         sops.secrets = f.sops.secrets;
         system.checks = f.system.checks;
@@ -563,13 +555,7 @@ in
       (take (sane-lib.mkTypedMerge take configs))
       {
         environment.pathsToLink = [ "/share/sane-sandboxed" ];
-        environment.systemPackages = [(
-          config.sane.sandboxHelper.withProfiles
-            (pkgs.symlinkJoin {
-              name = "sane-sandbox-profiles";
-              paths = config.sane.sandboxProfiles;
-            })
-        )];
+        environment.systemPackages = [ config.sane.sandboxHelper ];
       }
       {
         # expose the pkgs -- as available to the system -- as a build target.