diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
index 393098d7..8e7295bd 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/dbus-filter.nix
@@ -53,7 +53,6 @@ let
         };
       };
     };
-
   };
 in
 {
@@ -94,9 +93,7 @@ in
             '';
           };
 
-          policies = options.sandboxing.bubblewrap.dbus.filter.policies // {
-            default = cfg.dbus.filter.policies;
-          };
+          policies = options.sandboxing.bubblewrap.dbus.filter.policies;
 
           extraArgs = lib.mkOption {
             type = with lib.types; listOf str;
@@ -108,6 +105,7 @@ in
           };
         };
 
+        config.policies = cfg.dbus.filter.policies;
         config.extraArgs =
           let
             makePolicyArgs = dbusName: policyMetadata:
diff --git a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
index f9471da6..093e376d 100644
--- a/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
+++ b/modules/wrapper-manager/sandboxing/bubblewrap/filesystem.nix
@@ -177,18 +177,6 @@ let
 in
 {
   options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = true; };
-  config.sandboxing.bubblewrap.binds.ro = getClosurePaths cfg.sharedNixPaths;
-
-  config.sandboxing.bubblewrap.filesystem =
-    let
-      makeFilesystemMapping = operation: bind:
-        lib.nameValuePair bind { inherit operation; source = bind; };
-      filesystemMappings =
-        lib.lists.map (makeFilesystemMapping "ro-bind-try") cfg.binds.ro
-        ++ lib.lists.map (makeFilesystemMapping "bind") cfg.binds.rw
-        ++ lib.lists.map (makeFilesystemMapping "dev-bind-try") cfg.binds.dev;
-    in
-    builtins.listToAttrs filesystemMappings;
 
   options.wrappers =
     let
@@ -198,6 +186,12 @@ in
         options.sandboxing.bubblewrap = bubblewrapModuleFactory { isGlobal = false; };
 
         config = lib.mkIf (config.sandboxing.variant == "bubblewrap") (lib.mkMerge [
+          {
+            sandboxing.bubblewrap.binds = cfg.binds;
+            sandboxing.bubblewrap.sharedNixPaths = cfg.sharedNixPaths;
+            sandboxing.bubblewrap.filesystem = cfg.filesystem;
+          }
+
           {
             sandboxing.bubblewrap.binds.ro = getClosurePaths submoduleCfg.sharedNixPaths;
             sandboxing.bubblewrap.filesystem =
@@ -206,7 +200,7 @@ in
                   lib.nameValuePair bind { inherit operation; source = bind; };
                 filesystemMappings =
                   lib.lists.map (makeFilesystemMapping "ro-bind-try") submoduleCfg.binds.ro
-                  ++ lib.lists.map (makeFilesystemMapping "bind") submoduleCfg.binds.rw
+                  ++ lib.lists.map (makeFilesystemMapping "bind-try") submoduleCfg.binds.rw
                   ++ lib.lists.map (makeFilesystemMapping "dev-bind-try") submoduleCfg.binds.dev;
               in
               builtins.listToAttrs filesystemMappings;
@@ -231,11 +225,6 @@ in
                 (lib.mapAttrsToList makeFilesystemArgs submoduleCfg.filesystem);
           }
 
-          {
-            sandboxing.bubblewrap.binds = cfg.binds;
-            sandboxing.bubblewrap.filesystem = cfg.filesystem;
-          }
-
           (lib.mkIf submoduleCfg.enableSharedNixStore {
             sandboxing.bubblewrap.binds.ro = [ builtins.storeDir ] ++ lib.optionals (builtins.storeDir != "/nix/store") [ "/nix/store" ];
           })