diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap
index 0a3e51a8..710f6c9b 100644
--- a/apparmor.d/groups/_full/bwrap
+++ b/apparmor.d/groups/_full/bwrap
@@ -11,33 +11,19 @@ include <tunables/global>
 @{exec_path} = @{bin}/bwrap
 profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
+  include <abstractions/bwrap>
   include <abstractions/bwrap-app>
   include <abstractions/dbus>
   include <abstractions/fontconfig-cache-write>
 
   capability dac_override,
   capability dac_read_search,
-  capability net_admin,
-  capability setpcap,
-  capability sys_admin,
-  capability sys_ptrace,
   capability sys_resource,
 
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
-  network netlink raw,
-
-  mount options=(rw, silent, rslave) -> /,
-  mount fstype=tmpfs -> /tmp/,
-  mount -> /newroot/{,**},
-  mount -> /oldroot/,
-  mount -> /tmp/newroot/,
-  umount /{,oldroot/},
-
-  pivot_root oldroot=/newroot/ -> /newroot/,
-  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
 
   ptrace peer=bwrap//&bwrap-app,
 
@@ -66,13 +52,6 @@ profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{run}/ld-so-cache-dir/* rw,
 
-        @{PROC}/sys/kernel/overflowgid r,
-        @{PROC}/sys/kernel/overflowuid r,
-        @{PROC}/sys/user/max_user_namespaces w,
-  owner @{PROC}/@{pid}/gid_map rw,
-  owner @{PROC}/@{pid}/setgroups rw,
-  owner @{PROC}/@{pid}/uid_map rw,
-
   include if exists <usr/bwrap.d>
   include if exists <local/bwrap>
 }
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index e607fe42..3962861d 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -22,18 +22,15 @@ include <tunables/global>
 
 profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
-  include <abstractions/bwrap-app>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bwrap-app>
+  include <abstractions/bwrap>
 
   capability dac_override,
   capability dac_read_search,
-  capability net_admin,
   # When bwrap is setup with setuid privileges, it needs the setuid capability.
   capability setuid,
-  capability setpcap,
-  capability sys_admin,
-  capability sys_ptrace,
   capability sys_resource,
 
   network inet dgram,
@@ -43,16 +40,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   network netlink dgram,
   network netlink raw,
 
-  mount options=(rw, silent, rslave) -> /,
-  mount fstype=tmpfs -> /tmp/,
-  mount -> /newroot/{,**},
-  mount -> /oldroot/,
-  mount -> /tmp/newroot/,
-  umount /{,oldroot/},
-
-  pivot_root oldroot=/newroot/ -> /newroot/,
-  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
-
   ptrace (read),
 
   signal (receive) set=(int) peer=flatpak-portal,
@@ -95,16 +82,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/flatpak/app/*/*ipc* rw,
   owner @{run}/ld-so-cache-dir/* rw,
 
-        @{PROC}/@{pid}/fd/ r,
-        @{PROC}/sys/kernel/overflowgid r,
-        @{PROC}/sys/kernel/overflowuid r,
-        @{PROC}/sys/user/max_user_namespaces w,
-  owner @{PROC}/@{pid}/gid_map rw,
-  owner @{PROC}/@{pid}/setgroups rw,
-  owner @{PROC}/@{pid}/uid_map rw,
-
-  deny /apparmor/.null rw,
-
   include if exists <usr/flatpak-app.d>
   include if exists <local/flatpak-app>
 }
diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game
index 947dda2b..ce8d43b8 100644
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@@ -24,6 +24,7 @@ include <tunables/global>
 profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/bwrap>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-write>
@@ -34,9 +35,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
 
   capability dac_override,
   capability dac_read_search,
-  capability setpcap,
-  capability sys_admin,
-  capability sys_ptrace,
 
   network inet dgram,
   network inet6 dgram,
@@ -44,16 +42,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
-  mount options=(rw, silent, rslave) -> /,
-  mount fstype=tmpfs -> /tmp/,
-  mount -> /newroot/{,**},
-  mount -> /oldroot/,
-  mount -> /tmp/newroot/,
-  umount /{,oldroot/},
-
-  pivot_root oldroot=/newroot/ -> /newroot/,
-  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
-
   signal (receive) peer=steam,
 
   unix (receive) type=stream,
@@ -122,8 +110,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   /etc/udev/udev.conf r,
   /var/lib/dbus/machine-id r,
 
-  /newroot/{,**} rw,
-
   /var/cache/ldconfig/aux-cache* rw,
 
   / r,
@@ -206,21 +192,15 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/@{pids}/net/dev r,
         @{PROC}/@{pids}/net/route r,
-        @{PROC}/sys/kernel/overflowgid r,
-        @{PROC}/sys/kernel/overflowuid r,
         @{PROC}/uptime r,
         @{PROC}/version r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/gid_map rw,
-  owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/setgroups rw,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
-  owner @{PROC}/@{pid}/uid_map rw,
 
   /dev/hidraw@{int} rw,
   /dev/input/ r,