diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 89ea1f747..7eb223b09 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -29,8 +29,6 @@
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
-  include <abstractions/user-download-strict>
-  include <abstractions/user-read-strict>
 
   # userns,
 
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 75c3c0f86..ef8bf5842 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -16,6 +16,8 @@ include <tunables/global>
 profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 995f94f8f..02bbb92a6 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{name} = firefox{,.sh,-esr,-bin}
+@{name} = firefox{,-esr,-bin}
 @{lib_dirs} = @{lib}/@{name} /opt/@{name}
 @{config_dirs} = @{HOME}/.mozilla/
 @{cache_dirs} = @{user_cache_dirs}/mozilla/
diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/browsers/torbrowser
index 6b9b6dbab..c0c4a893e 100644
--- a/apparmor.d/groups/browsers/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@@ -17,6 +17,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/firefox>
 
+  # Uncomment if you want to give the Tor Browser access to the common download directory.
+  # include <abstractions/user-download-strict>
+
   @{exec_path} mrix,
 
   @{lib_dirs}/abicheck           ix,
@@ -41,6 +44,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   owner "@{tmp}/Tor Project*/**" rwk,
 
   # Due to the nature of the browser, we silence much more than for Firefox.
+  deny capability sys_ptrace,
   deny network inet dgram, # TOR does not work over UDP
   deny network inet6 dgram,
   deny network inet6 stream, # TOR does not work over IPv6
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 28b0a4836..dbf045333 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -16,6 +16,8 @@ include <tunables/global>
 profile thunderbird @{exec_path} {
   include <abstractions/base>
   include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   #aa:dbus own bus=session name=org.mozilla.thunderbird