diff --git a/app_containers/.local/bin/run_app_container b/app_containers/.local/bin/run_app_container
index 2c06ea2..13f8215 100755
--- a/app_containers/.local/bin/run_app_container
+++ b/app_containers/.local/bin/run_app_container
@@ -32,9 +32,12 @@ fi
 if [[ -n $PULSE_SERVER ]]; then # remove prefix
   host_pulse=${PULSE_SERVER#unix:}
 else # default guess
-  host_pulse=$XDG_RUNTIME_DIR/pulse
+  host_pulse=$XDG_RUNTIME_DIR/pulse/native
 fi
 
+[ -S $host_pulse ] || die "PulseAudio UNIX socket not found"
+mkdir $container_xdg_runtime/pulse
+
 # Default username (assume `user` always has the same uid as the host user)
 run_as=user
 homedir=/home/user
@@ -44,6 +47,8 @@ if [ "$CONTAINER_RUN_AS_ROOT" = true ]; then
 fi
 
 SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINER_NAME \
+    `# This doesn't provide userns isolation, but it does provide capability isolation` \
+    --private-users=identity \
     `# DNS (when containers do not have their own netns)` \
     --bind-ro=/run/systemd/resolve/stub-resolv.conf:/etc/resolv.conf \
     `# GPU` \
@@ -62,7 +67,7 @@ SUDO_ASKPASS=$HOME/.local/bin/askpass-bemenu sudo -A systemd-nspawn -M $CONTAINE
     --bind-ro=$XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/run/host/$WAYLAND_DISPLAY \
     --setenv=WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
     `# PulseAudio` \
-    --bind-ro=$host_pulse:/run/host/pulse \
+    --bind-ro=$host_pulse:/run/host/pulse/native \
     --setenv=PULSE_SERVER=unix:/run/host/pulse/native \
     `# DBus` \
     --bind-ro=$host_bus:/run/host/bus \