{ ... }:
{
  sane.programs.xdg-utils = {
    # xdg-open may need to open things with elevated perms, like wireshark.
    # generally, the caller can be trusted to sandbox it.
    # if the caller is sandboxed, it will typically set NIXOS_XDG_OPEN_USE_PORTAL=1,
    # and then xdg-open simply forwards the request to dbus.
    sandbox.enable = false;
  };

  # sane.programs.xdg-utils = {
  #   sandbox.method = "capshonly";
  #   sandbox.wrapperType = "wrappedDerivation";
  #   # xdg-utils portal interaction: for `xdg-open` to open a file whose handler may require files not in the current sandbox,
  #   # we have to use a background service. that's achieved via `xdg-desktop-portal` and the org.freedesktop.portal.OpenURI dbus interface.
  #   # so, this `xdg-open` should simply forward all requests to the portal, and the portal may re-invoke xdg-open without that redirection.
  #   #   -- EXCEPT for if we're invoked by the portal itself.
  #   #
  #   # note that `xdg-desktop-portal` seems to (inadvertently) only accept requests from applications which *don't* have elevated privileges, hence xdg-open *has* to be sandboxed for this to work.
  #   # env.NIXOS_XDG_OPEN_USE_PORTAL = "1";
  #   packageUnwrapped = pkgs.xdg-utils.overrideAttrs (base: {
  #     postInstall = base.postInstall + ''
  #       sed '2i\
  #       if ! [ -e ~/.local/share/applications ]; then\
  #         NIXOS_XDG_OPEN_USE_PORTAL=1\
  #       fi\
  #       ' -i "$out"/bin/*
  #     '';
  #   });
  # };

  # ensure that any `xdg-open` invocations from within the portal don't recurse.
  # N.B.: use `systemd.user.units...` instead of `systemd.user.services...` because the latter
  # pollutes the PATH for this unit.
  # systemd.user.units."xdg-desktop-portal.service".text = ''
  #   [Service]
  #   Environment="NIXOS_XDG_OPEN_USE_PORTAL="
  # '';
}