diff --git a/hosts/common/programs/dino.nix b/hosts/common/programs/dino.nix
index da27a24e..46ada9f6 100644
--- a/hosts/common/programs/dino.nix
+++ b/hosts/common/programs/dino.nix
@@ -52,6 +52,14 @@ in
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;  #< not strictly necessary, but we need all the perf we can get on moby
     sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures"
+      "Pictures/servo-macros"
+      "Videos"
+      "Videos/servo"
+      "tmp"
+    ];
 
     persist.byStore.private = [ ".local/share/dino" ];
 
diff --git a/hosts/common/programs/element-desktop.nix b/hosts/common/programs/element-desktop.nix
index e6857c66..2dcb64ef 100644
--- a/hosts/common/programs/element-desktop.nix
+++ b/hosts/common/programs/element-desktop.nix
@@ -14,6 +14,14 @@
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures"
+      "Pictures/servo-macros"
+      "Videos"
+      "Videos/servo"
+      "tmp"
+    ];
 
     packageUnwrapped = pkgs.element-desktop.override {
       # use pre-build electron because otherwise it takes 4 hrs to build from source.
diff --git a/hosts/common/programs/fractal.nix b/hosts/common/programs/fractal.nix
index c4f8e7a5..71e61d87 100644
--- a/hosts/common/programs/fractal.nix
+++ b/hosts/common/programs/fractal.nix
@@ -34,6 +34,14 @@ in
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;  # otherwise video playback buuuuurns CPU
     sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures"
+      "Pictures/servo-macros"
+      "Videos"
+      "Videos/servo"
+      "tmp"
+    ];
 
     configOption = with lib; mkOption {
       default = {};
diff --git a/hosts/common/programs/gtkcord4.nix b/hosts/common/programs/gtkcord4.nix
index cccc6bd7..448fe143 100644
--- a/hosts/common/programs/gtkcord4.nix
+++ b/hosts/common/programs/gtkcord4.nix
@@ -38,6 +38,14 @@ in
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistDri = true;
     sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures"
+      "Pictures/servo-macros"
+      "Videos"
+      "Videos/servo"
+      "tmp"
+    ];
 
     persist.byStore.private = [
       ".cache/gtkcord4"
diff --git a/hosts/common/programs/signal-desktop.nix b/hosts/common/programs/signal-desktop.nix
index 697cf633..7cbb5127 100644
--- a/hosts/common/programs/signal-desktop.nix
+++ b/hosts/common/programs/signal-desktop.nix
@@ -27,6 +27,14 @@ in
     sandbox.net = "clearnet";
     sandbox.whitelistAudio = true;
     sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures"
+      "Pictures/servo-macros"
+      "Videos"
+      "Videos/servo"
+      "tmp"
+    ];
 
     # creds, media
     persist.byStore.private = [
diff --git a/hosts/common/programs/tuba.nix b/hosts/common/programs/tuba.nix
index c030a607..c40670f0 100644
--- a/hosts/common/programs/tuba.nix
+++ b/hosts/common/programs/tuba.nix
@@ -7,6 +7,15 @@
     sandbox.whitelistAudio = true;
     sandbox.whitelistDbus = [ "user" ];  # notifications
     sandbox.whitelistWayland = true;
+    sandbox.extraHomePaths = [
+      "Music"
+      "Pictures"
+      "Pictures/servo-macros"
+      "Videos"
+      "Videos/servo"
+      "tmp"
+    ];
+
     suggestedPrograms = [ "gnome-keyring" ];
   };
 }