diff --git a/crates/spfs/src/env.rs b/crates/spfs/src/env.rs
index 1c2a1a9408..5c93569429 100644
--- a/crates/spfs/src/env.rs
+++ b/crates/spfs/src/env.rs
@@ -326,27 +326,42 @@ impl<MountNamespace> RuntimeConfigurator<IsRootUser, MountNamespace>
 where
     MountNamespace: __private::CurrentThreadIsInMountNamespace,
 {
-    /// Privatize mounts in the current namespace, so that new mounts and changes
+    /// Remount key existing mount points so that new mounts and changes
     /// to existing mounts don't propagate to the parent namespace.
-    pub async fn privatize_existing_mounts(&self) -> Result<()> {
+    ///
+    /// We use MS_SLAVE for system mounts because we still want mount and
+    /// unmount events from the system to propagate into this new namespace.
+    /// We privatize any existing /spfs mount, though because we are likely
+    /// to replace it and don't want to affect any parent runtime.
+    pub async fn remove_mount_propagation(&self) -> Result<()> {
         use nix::mount::{mount, MsFlags};
 
-        tracing::debug!("privatizing existing mounts...");
+        tracing::debug!("disable sharing of new mounts...");
 
-        let mut res = mount(NONE, "/", NONE, MsFlags::MS_PRIVATE, NONE);
+        let mut res = mount(NONE, "/", NONE, MsFlags::MS_SLAVE, NONE);
         if let Err(err) = res {
             return Err(Error::wrap_nix(
                 err,
-                "Failed to privatize existing mount: /",
+                "Failed to remove propagation from existing mount: /",
             ));
         }
 
+        if self.is_mounted("/spfs").await? {
+            res = mount(NONE, "/spfs", NONE, MsFlags::MS_PRIVATE, NONE);
+            if let Err(err) = res {
+                return Err(Error::wrap_nix(
+                    err,
+                    "Failed to privatize existing mount: /spfs",
+                ));
+            }
+        }
+
         if self.is_mounted("/tmp").await? {
-            res = mount(NONE, "/tmp", NONE, MsFlags::MS_PRIVATE, NONE);
+            res = mount(NONE, "/tmp", NONE, MsFlags::MS_SLAVE, NONE);
             if let Err(err) = res {
                 return Err(Error::wrap_nix(
                     err,
-                    "Failed to privatize existing mount: /tmp",
+                    "Failed to remove propagation from existing mount: /tmp",
                 ));
             }
         }
diff --git a/crates/spfs/src/status_unix.rs b/crates/spfs/src/status_unix.rs
index a006b9b96f..df7fa7f831 100644
--- a/crates/spfs/src/status_unix.rs
+++ b/crates/spfs/src/status_unix.rs
@@ -221,7 +221,7 @@ pub async fn initialize_runtime(rt: &mut runtime::Runtime) -> Result<RenderSumma
     rt.save_state_to_storage().await?;
 
     let with_root = in_namespace.become_root()?;
-    with_root.privatize_existing_mounts().await?;
+    with_root.remove_mount_propagation().await?;
     with_root.ensure_mount_targets_exist(&rt.config)?;
     match rt.config.mount_backend {
         runtime::MountBackend::OverlayFsWithRenders => {