diff --git a/etc/disable-common.inc b/etc/disable-common.inc
index 19be56f86..e5de0b61f 100644
--- a/etc/disable-common.inc
+++ b/etc/disable-common.inc
@@ -75,6 +75,7 @@ blacklist ${HOME}/.kde4/share/config/plasma-desktop-appletsrc
 blacklist ${HOME}/.local/share/kglobalaccel
 blacklist ${HOME}/.local/share/kwin
 blacklist ${HOME}/.local/share/plasma
+blacklist ${HOME}/.local/share/plasmashell
 blacklist ${HOME}/.local/share/solid
 read-only ${HOME}/.cache/ksycoca5_*
 read-only ${HOME}/.config/*notifyrc
diff --git a/etc/disable-programs.inc b/etc/disable-programs.inc
index 3f0d7b337..de88cbc24 100644
--- a/etc/disable-programs.inc
+++ b/etc/disable-programs.inc
@@ -363,6 +363,7 @@ blacklist ${HOME}/.local/share/data/MuseScore
 blacklist ${HOME}/.local/share/data/qBittorrent
 blacklist ${HOME}/.local/share/dino
 blacklist ${HOME}/.local/share/dolphin
+blacklist ${HOME}/.local/share/emailidentities
 blacklist ${HOME}/.local/share/epiphany
 blacklist ${HOME}/.local/share/evolution
 blacklist ${HOME}/.local/share/feral-interactive
@@ -405,6 +406,7 @@ blacklist ${HOME}/.local/share/okular
 blacklist ${HOME}/.local/share/orage
 blacklist ${HOME}/.local/share/org.kde.gwenview
 blacklist ${HOME}/.local/share/pix
+blacklist ${HOME}/.local/share/plasma_notes
 blacklist ${HOME}/.local/share/psi+
 blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/qutebrowser
diff --git a/etc/kate.profile b/etc/kate.profile
index a3d2be6b2..5042077e5 100644
--- a/etc/kate.profile
+++ b/etc/kate.profile
@@ -42,4 +42,7 @@ private-dev
 # private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
 private-tmp
 
+# noexec ${HOME}
+noexec /tmp
+
 join-or-start kate
diff --git a/etc/kmail.profile b/etc/kmail.profile
index 3ee8370cb..952af55c8 100644
--- a/etc/kmail.profile
+++ b/etc/kmail.profile
@@ -5,7 +5,7 @@ include /etc/firejail/kmail.local
 # Persistent global definitions
 include /etc/firejail/globals.local
 
-# if akonadi has a mysql backend, starting it inside this sandbox will fail
+# if akonadi has a mysql backend, starting it inside this sandbox will fail.
 # one solution is to have akonadi already running when kmail is launched
 
 noblacklist ${HOME}/.cache/akonadi*
@@ -15,6 +15,7 @@ noblacklist ${HOME}/.config/emailidentities
 noblacklist ${HOME}/.config/kmail2rc
 noblacklist ${HOME}/.local/share/akonadi/*
 noblacklist ${HOME}/.local/share/contacts
+noblacklist ${HOME}/.local/share/emailidentities
 noblacklist ${HOME}/.local/share/kmail2
 noblacklist ${HOME}/.local/share/local-mail
 noblacklist ${HOME}/.gnupg
diff --git a/etc/kwrite.profile b/etc/kwrite.profile
index a785f3541..1c4e50b77 100644
--- a/etc/kwrite.profile
+++ b/etc/kwrite.profile
@@ -43,4 +43,7 @@ private-dev
 private-etc fonts,kde4rc,kde5rc,ld.so.cache,machine-id,pulse,xdg
 private-tmp
 
+noexec ${HOME}
+noexec /tmp
+
 join-or-start kwrite