diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index 15b73a2d1..9e6dbc2e0 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -59,6 +59,12 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
 
   /dev/tty rw,
 
+  # file_inherit
+  deny /opt/*/** r,
+  deny owner @{user_config_dirs}/*/** rw,
+  deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
+  deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+
   profile bus flags=(complain) {
     include <abstractions/base>
     include <abstractions/app/bus>
diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid
index 3eee035fe..4105a7419 100644
--- a/apparmor.d/groups/utils/blkid
+++ b/apparmor.d/groups/utils/blkid
@@ -34,8 +34,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
   @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
-  @{run}/cloud-init/ds-identify.log w, # file_inherit
-
   @{PROC}/@{pid}/mounts r,
   @{PROC}/partitions r,
   @{PROC}/swaps r,
@@ -47,6 +45,9 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
 
   owner /dev/tty@{int} rw,
 
+  # file_inherit
+  deny @{run}/cloud-init/ds-identify.log w,
+
   include if exists <local/blkid>
 }
 
diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci
index e8ba89298..c6ac0fdcd 100644
--- a/apparmor.d/groups/utils/lspci
+++ b/apparmor.d/groups/utils/lspci
@@ -45,7 +45,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   @{PROC}/cmdline r,
   @{PROC}/ioports r,
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  # file_inherit
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_cache_dirs}/*/** rw,
 
   include if exists <local/lspci>
 }
diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings
index bbdb3da62..849599977 100644
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@@ -23,6 +23,14 @@ profile gsettings @{exec_path} flags=(attach_disconnected) {
   owner @{desktop_config_dirs}/dconf/user rw,
   owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
 
+  # file_inherit
+  deny network netlink raw,
+  deny /etc/nsswitch.conf r,
+  deny /etc/passwd r,
+  deny /opt/*/** r,
+  deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf
+  deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+
   include if exists <local/gsettings>
 }