diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict
new file mode 100644
index 00000000..21238577
--- /dev/null
+++ b/apparmor.d/abstractions/trash-strict
@@ -0,0 +1,82 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2018-2022 Mikhail Morfikov
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Already upstreamed. Different because recent change does not play well
+# with upstream's version.
+
+# There is no 'owner' rule on expunged folders because some internally sandboxed
+# app (using bwrap) run on a different private user.
+
+  owner @{user_config_dirs}/#@{int} rwk,
+  owner @{user_config_dirs}/trashrc rw,
+  owner @{user_config_dirs}/trashrc.* rwl,
+  owner @{user_config_dirs}/trashrc.lock rwk,
+
+  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/trash.so*.@{int}.slave-socket rwl,
+
+  # Home trash location
+  owner @{user_share_dirs}/Trash/ rw,
+  owner @{user_share_dirs}/Trash/#@{int} rw,
+  owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl -> @{user_share_dirs}/Trash/#@{int},
+  owner @{user_share_dirs}/Trash/files/{,**} rw,
+  owner @{user_share_dirs}/Trash/info/ rw,
+  owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw,
+        @{user_share_dirs}/Trash/expunged/ rw,
+        @{user_share_dirs}/Trash/expunged/@{int} rw,
+        @{user_share_dirs}/Trash/expunged/@{int}/ rw,
+        @{user_share_dirs}/Trash/expunged/@{int}/** rw,
+
+  # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
+  owner @{MOUNTS}/.Trash/ rw,
+  owner @{MOUNTS}/.Trash/@{uid}/ rw,
+  owner @{MOUNTS}/.Trash/@{uid}/#@{int} rw,
+  owner @{MOUNTS}/.Trash/@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/.Trash/@{uid}/#@{int},
+  owner @{MOUNTS}/.Trash/@{uid}/files/{,**} rw,
+  owner @{MOUNTS}/.Trash/@{uid}/info/ rw,
+  owner @{MOUNTS}/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
+        @{MOUNTS}/.Trash/@{uid}/expunged/ rw,
+        @{MOUNTS}/.Trash/@{uid}/expunged/@{int} rw,
+        @{MOUNTS}/.Trash/@{uid}/expunged/@{int}/ rw,
+        @{MOUNTS}/.Trash/@{uid}/expunged/@{int}/** rw,
+
+  # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
+  owner @{MOUNTS}/.Trash-@{uid}/ rw,
+  owner @{MOUNTS}/.Trash-@{uid}/#@{int} rw,
+  owner @{MOUNTS}/.Trash-@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/.Trash-@{uid}/#@{int},
+  owner @{MOUNTS}/.Trash-@{uid}/files/{,**} rw,
+  owner @{MOUNTS}/.Trash-@{uid}/info/ rw,
+  owner @{MOUNTS}/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
+        @{MOUNTS}/.Trash-@{uid}/expunged/ rw,
+        @{MOUNTS}/.Trash-@{uid}/expunged/@{int} rw,
+        @{MOUNTS}/.Trash-@{uid}/expunged/@{int}/ rw,
+        @{MOUNTS}/.Trash-@{uid}/expunged/@{int}/** rw,
+
+  # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir
+  owner @{MOUNTS}/*/.Trash/ rw,
+  owner @{MOUNTS}/*/.Trash/@{uid}/ rw,
+  owner @{MOUNTS}/*/.Trash/@{uid}/#@{int} rw,
+  owner @{MOUNTS}/*/.Trash/@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/*/.Trash/@{uid}/#@{int},
+  owner @{MOUNTS}/*/.Trash/@{uid}/files/{,**} rw,
+  owner @{MOUNTS}/*/.Trash/@{uid}/info/ rw,
+  owner @{MOUNTS}/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
+        @{MOUNTS}/*/.Trash/@{uid}/expunged/ rw,
+        @{MOUNTS}/*/.Trash/@{uid}/expunged/@{int} rw,
+        @{MOUNTS}/*/.Trash/@{uid}/expunged/@{int}/ rw,
+        @{MOUNTS}/*/.Trash/@{uid}/expunged/@{int}/** rw,
+
+  # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
+  owner @{MOUNTS}/*/.Trash-@{uid}/ rw,
+  owner @{MOUNTS}/*/.Trash-@{uid}/#@{int} rw,
+  owner @{MOUNTS}/*/.Trash-@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/*/.Trash-@{uid}/#@{int},
+  owner @{MOUNTS}/*/.Trash-@{uid}/files/{,**} rw,
+  owner @{MOUNTS}/*/.Trash-@{uid}/info/ rw,
+  owner @{MOUNTS}/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
+        @{MOUNTS}/*/.Trash-@{uid}/expunged/ rw,
+        @{MOUNTS}/*/.Trash-@{uid}/expunged/@{int} rw,
+        @{MOUNTS}/*/.Trash-@{uid}/expunged/@{int}/ rw,
+        @{MOUNTS}/*/.Trash-@{uid}/expunged/@{int}/** rw,
+
+  include if exists <abstractions/trash-strict.d>
diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre
index 5283fbf1..1609a4a7 100644
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@@ -35,7 +35,7 @@ profile calibre @{exec_path} {
   include <abstractions/qt5-shader-cache>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/trash>
+  include <abstractions/trash-strict>
   include <abstractions/user-download-strict>
 
   capability sys_ptrace,
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index c0ba6d9c..41a84cbc 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -17,7 +17,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/deny-sensitive-home>
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/trash>
+  include <abstractions/trash-strict>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index d673e3bf..9774052b 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -24,7 +24,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/trash>
+  include <abstractions/trash-strict>
 
   # mqueue r type=posix /,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash
index 19b705b1..6fb725ef 100644
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@@ -13,7 +13,7 @@ profile gvfsd-trash @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
-  include <abstractions/trash>
+  include <abstractions/trash-strict>
 
   # When mounting a SMB share
   network inet stream,
diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker
index 2fae9855..f78f33cb 100644
--- a/apparmor.d/groups/kde/kioworker
+++ b/apparmor.d/groups/kde/kioworker
@@ -16,7 +16,7 @@ profile kioworker @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-write>
-  include <abstractions/trash>
+  include <abstractions/trash-strict>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk
index 2d1f2852..3da3784e 100644
--- a/apparmor.d/profiles-s-z/transmission-gtk
+++ b/apparmor.d/profiles-s-z/transmission-gtk
@@ -14,7 +14,7 @@ profile transmission-gtk @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/trash>
+  include <abstractions/trash-strict>
   include <abstractions/user-download-strict>
 
   network inet dgram,