diff --git a/hosts/common/fs.nix b/hosts/common/fs.nix
index 05d323d65..01803b32e 100644
--- a/hosts/common/fs.nix
+++ b/hosts/common/fs.nix
@@ -160,7 +160,7 @@ let
       mount.mountConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
       #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
       # see `systemd-analyze filesystems` for a full list
-      mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse";
+      mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse";
       mount.mountConfig.RestrictNamespaces = true;
       mount.mountConfig.RestrictRealtime = true;
       mount.mountConfig.RestrictSUIDSGID = true;
diff --git a/modules/persist/stores/ephemeral.nix b/modules/persist/stores/ephemeral.nix
index 6df669f97..6644bccec 100644
--- a/modules/persist/stores/ephemeral.nix
+++ b/modules/persist/stores/ephemeral.nix
@@ -69,7 +69,7 @@ lib.mkIf config.sane.persist.enable
     mount.mountConfig.RestrictAddressFamilies = "AF_UNIX";  # "none" works, but then it can't connect to the logger
     #VVV this includes anything it reads from, e.g. /bin/sh; /nix/store/...
     # see `systemd-analyze filesystems` for a full list
-    mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse pipefs";
+    mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse pipefs";
     mount.mountConfig.RestrictNamespaces = true;
     mount.mountConfig.RestrictNetworkInterfaces = "";
     mount.mountConfig.RestrictRealtime = true;
diff --git a/modules/persist/stores/private.nix b/modules/persist/stores/private.nix
index 5816a9bff..f28beb39f 100644
--- a/modules/persist/stores/private.nix
+++ b/modules/persist/stores/private.nix
@@ -131,7 +131,7 @@ lib.mkIf config.sane.persist.enable
     mount.mountConfig.ProtectHostname = true;
     mount.mountConfig.RemoveIPC = true;
     mount.mountConfig.RestrictAddressFamilies = "AF_UNIX";  # "none" works, but then it can't connect to the logger
-    mount.mountConfig.RestrictFileSystems = "@common-block devtmpfs fuse pipefs";
+    mount.mountConfig.RestrictFileSystems = "@common-block @basic-api fuse pipefs";
     mount.mountConfig.RestrictNamespaces = true;
     mount.mountConfig.RestrictNetworkInterfaces = "";
     mount.mountConfig.RestrictRealtime = true;