diff --git a/share/flatpak.nix b/share/flatpak.nix
index f4af74d..40d45ac 100644
--- a/share/flatpak.nix
+++ b/share/flatpak.nix
@@ -1,20 +1,23 @@
 # based on https://www.reddit.com/r/NixOS/comments/1hzgxns/fully_declarative_flatpak_management_on_nixos/
 { config, lib, pkgs, ... }:
 let
+  # default restrictions, applied globally and to all packs
+  globalOverrides = "--nofilesystem=home --nofilesystem=host";
+
   # all wanted flatpak packages
   desiredFlatpaks = {
-    "com.valvesoftware.Steam" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music";
-    "com.vivaldi.Vivaldi" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music";
-    "io.github.ungoogled_software.ungoogled_chromium" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music";
-    "org.mozilla.firefox" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music";
-    "org.signal.Signal" = "--nofilesystem=home --nofilesystem=xdg-pictures --nofilesystem=xdg-music";
+    "com.valvesoftware.Steam" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
+    "com.vivaldi.Vivaldi" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
+    "io.github.ungoogled_software.ungoogled_chromium" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
+    "org.mozilla.firefox" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
+    "org.signal.Signal" = "--nofilesystem=xdg-music --nofilesystem=xdg-pictures";
   };
 
   # install helper, will set filesystem overrides
   install = lib.lists.foldl( str: app:
       str + pkgs.flatpak + "/bin/flatpak install -y flathub " + app + ";\n"
-          + pkgs.flatpak + "/bin/flatpak override --reset;\n"
           + pkgs.flatpak + "/bin/flatpak override --reset " + app + ";\n"
+          + pkgs.flatpak + "/bin/flatpak override " + globalOverrides + " " + app + ";\n" # just to be sure, is in the global settings already
           + pkgs.flatpak + "/bin/flatpak override " + (lib.attrsets.getAttrFromPath [ app ] desiredFlatpaks) + " " + app + ";\n"
           + pkgs.flatpak + "/bin/flatpak override --show " + app + ";\n"
   ) "\n";
@@ -39,6 +42,10 @@ in {
         fi
       done
 
+      # setup global overrides, forbid most of the system
+      ${pkgs.flatpak}/bin/flatpak override --reset
+      ${pkgs.flatpak}/bin/flatpak override ${globalOverrides}
+
       # install or re-install the Flatpaks you DO want
       ${install (builtins.attrNames desiredFlatpaks)}