diff --git a/contrib/syntax/lists/syscall_groups.list b/contrib/syntax/lists/syscall_groups.list
index afd7ebb11..4a7e542a9 100644
--- a/contrib/syntax/lists/syscall_groups.list
+++ b/contrib/syntax/lists/syscall_groups.list
@@ -20,6 +20,7 @@ network-io
 obsolete
 privileged
 process
+program-keep
 raw-io
 reboot
 resources
diff --git a/etc/templates/syscalls.txt b/etc/templates/syscalls.txt
index 412f510c9..b03eeeee2 100644
--- a/etc/templates/syscalls.txt
+++ b/etc/templates/syscalls.txt
@@ -33,7 +33,7 @@ Definition of groups
 @cpu-emulation=modify_ldt,subpage_prot,switch_endian,vm86,vm86old
 @debug=lookup_dcookie,perf_event_open,pidfd_getfd,process_vm_writev,rtas,s390_runtime_instr,sys_debug_setcontext,uprobe,uretprobe
 @default=@clock,@cpu-emulation,@debug,@module,@mount,@obsolete,@raw-io,@reboot,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,keyctl,mbind,migrate_pages,move_pages,name_to_handle_at,nfsservctl,open_by_handle_at,request_key,set_mempolicy,setdomainname,sethostname,syslog,userfaultfd,vhangup,vmsplice
-@default-keep=arch_prctl,clock_getres,clock_getres_time64,clock_gettime,clock_gettime64,clock_nanosleep,clock_nanosleep_time64,execv,execve,execveat,exit,futex,gettimeofday,mmap,mmap2,mprotect,prctl,time
+@default-keep=execve,execveat,prctl
 @default-nodebuggers=@default,personality,process_vm_readv,ptrace
 @file-system=access,cachestat,chdir,chmod,close,close_range,creat,faccessat,faccessat2,fallocate,fanotify_mark,fchdir,fchmod,fchmodat,fchmodat2,fcntl,fcntl64,fgetxattr,file_getattr,file_setattr,flistxattr,fremovexattr,fsetxattr,fstat,fstat64,fstatat64,fstatfs,fstatfs64,ftruncate,ftruncate64,getcwd,getdents,getdents64,getxattr,getxattrat,inotify_add_watch,inotify_init,inotify_init1,inotify_rm_watch,lgetxattr,link,linkat,listxattr,listxattrat,llistxattr,lremovexattr,lsetxattr,lstat,lstat64,mkdir,mkdirat,mknod,mknodat,munmap,newfstatat,oldfstat,oldlstat,oldstat,open,openat,openat2,osf_fstat,osf_fstatfs,osf_fstatfs64,osf_getdirentries,osf_lstat,osf_proplist_syscall,osf_utimes,quotactl_fd,readlink,readlinkat,removexattr,removexattrat,rename,renameat,renameat2,rmdir,setxattr,setxattrat,stat,stat64,statfs,statfs64,statx,symlink,symlinkat,truncate,truncate64,unlink,unlinkat,utimensat,utimes
 @io-event=_newselect,epoll_create,epoll_create1,epoll_ctl,epoll_pwait,epoll_pwait2,epoll_wait,eventfd,eventfd2,osf_select,poll,ppoll,ppoll_time64,pselect6,pselect6_time64,select
@@ -44,9 +44,10 @@ Definition of groups
 @module=delete_module,finit_module,init_module
 @mount=chroot,fsconfig,fsmount,fsopen,fspick,listmount,mount,mount_setattr,move_mount,oldumount,open_tree,open_tree_attr,osf_mount,pivot_root,statmount,umount,umount2
 @network-io=accept,accept4,bind,connect,getpeername,getsockname,getsockopt,listen,recv,recvfrom,recvmmsg,recvmmsg_time64,recvmsg,send,sendmmsg,sendmsg,sendto,setsockopt,shutdown,socket,socketcall,socketpair
-@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,dipc,epoll_ctl_old,epoll_wait_old,exec_with_loader,ftime,futimesat,get_kernel_syms,getpmsg,gtty,idle,llseek,lock,mpx,multiplexer,osf_adjtime,osf_afs_syscall,osf_alt_plock,osf_alt_setsid,osf_alt_sigpending,osf_asynch_daemon,osf_audcntl,osf_audgen,osf_chflags,osf_execve,osf_exportfs,osf_fchflags,osf_fdatasync,osf_fpathconf,osf_fuser,osf_getaddressconf,osf_getfh,osf_getfsstat,osf_gethostid,osf_getlogin,osf_getmnt,osf_gettimeofday,osf_kloadcall,osf_kmodcall,osf_memcntl,osf_mincore,osf_mremap,osf_msfs_syscall,osf_msleep,osf_mvalid,osf_mwakeup,osf_naccept,osf_nfssvc,osf_ngetpeername,osf_ngetsockname,osf_nrecvfrom,osf_nrecvmsg,osf_nsendmsg,osf_ntp_adjtime,osf_ntp_gettime,osf_old_creat,osf_old_fstat,osf_old_getpgrp,osf_old_killpg,osf_old_lstat,osf_old_open,osf_old_sigaction,osf_old_sigblock,osf_old_sigreturn,osf_old_sigsetmask,osf_old_sigvec,osf_old_stat,osf_old_vadvise,osf_old_vtrace,osf_old_wait,osf_oldquota,osf_pathconf,osf_pid_block,osf_pid_unblock,osf_plock,osf_priocntlset,osf_profil,osf_reboot,osf_revoke,osf_sbrk,osf_security,osf_set_speculative,osf_sethostid,osf_setlogin,osf_settimeofday,osf_signal,osf_sigsendset,osf_sigwaitprim,osf_sstk,osf_stat,osf_statfs,osf_statfs64,osf_subsys_info,osf_swapctl,osf_table,osf_uadmin,osf_uswitch,osf_utc_adjtime,osf_utc_gettime,osf_waitid,perfctr,prof,profil,putpmsg,query_module,remap_file_pages,security,settimeofday,sgetmask,spill,ssetmask,stime,stty,sysfs,timerfd,tkill,tuxcall,ulimit,uselib,ustat,utime,vserver,xtensa
+@obsolete=_sysctl,afs_syscall,bdflush,break,create_module,dipc,epoll_ctl_old,epoll_wait_old,exec_with_loader,execv,ftime,futimesat,get_kernel_syms,getpmsg,gtty,idle,llseek,lock,mpx,multiplexer,osf_adjtime,osf_afs_syscall,osf_alt_plock,osf_alt_setsid,osf_alt_sigpending,osf_asynch_daemon,osf_audcntl,osf_audgen,osf_chflags,osf_execve,osf_exportfs,osf_fchflags,osf_fdatasync,osf_fpathconf,osf_fuser,osf_getaddressconf,osf_getfh,osf_getfsstat,osf_gethostid,osf_getlogin,osf_getmnt,osf_gettimeofday,osf_kloadcall,osf_kmodcall,osf_memcntl,osf_mincore,osf_mremap,osf_msfs_syscall,osf_msleep,osf_mvalid,osf_mwakeup,osf_naccept,osf_nfssvc,osf_ngetpeername,osf_ngetsockname,osf_nrecvfrom,osf_nrecvmsg,osf_nsendmsg,osf_ntp_adjtime,osf_ntp_gettime,osf_old_creat,osf_old_fstat,osf_old_getpgrp,osf_old_killpg,osf_old_lstat,osf_old_open,osf_old_sigaction,osf_old_sigblock,osf_old_sigreturn,osf_old_sigsetmask,osf_old_sigvec,osf_old_stat,osf_old_vadvise,osf_old_vtrace,osf_old_wait,osf_oldquota,osf_pathconf,osf_pid_block,osf_pid_unblock,osf_plock,osf_priocntlset,osf_profil,osf_reboot,osf_revoke,osf_sbrk,osf_security,osf_set_speculative,osf_sethostid,osf_setlogin,osf_settimeofday,osf_signal,osf_sigsendset,osf_sigwaitprim,osf_sstk,osf_stat,osf_statfs,osf_statfs64,osf_subsys_info,osf_swapctl,osf_table,osf_uadmin,osf_uswitch,osf_utc_adjtime,osf_utc_gettime,osf_waitid,perfctr,prof,profil,putpmsg,query_module,remap_file_pages,security,settimeofday,sgetmask,spill,ssetmask,stime,stty,sysfs,timerfd,tkill,tuxcall,ulimit,uselib,ustat,utime,vserver,xtensa
 @privileged=@chown,@clock,@module,@raw-io,@reboot,@swap,_sysctl,acct,bpf,capset,chroot,fanotify_init,mount,nfsservctl,open_by_handle_at,pivot_root,quotactl,setdomainname,setfsuid,setfsuid32,setgroups,setgroups32,sethostname,setresuid,setresuid32,setreuid,setreuid32,setuid,setuid32,umount2,vhangup
 @process=arc_gettls,arc_settls,arc_usr_cmpxchg,atomic_barrier,atomic_cmpxchg_32,cachectl,cacheflush,capget,clone,clone3,exit_group,fork,futex_requeue,futex_time64,futex_wait,futex_waitv,futex_wake,get_robust_list,get_thread_area,getegid,getegid32,geteuid,geteuid32,getgid,getgid32,getgroups,getgroups32,getpgid,getpgrp,getpid,getppid,getresgid,getresgid32,getresuid,getresuid32,getsid,gettid,getuid,getuid32,getxgid,getxpid,getxuid,kill,membarrier,or1k_atomic,osf_set_program_attributes,osf_wait4,pidfd_open,pidfd_send_signal,riscv_flush_icache,rseq,rseq_slice_yield,rt_sigqueueinfo,rt_tgsigqueueinfo,s390_guarded_storage,sched_get_affinity,set_robust_list,set_thread_area,set_tid_address,sethae,setns,setpgrp,setpriority,spu_create,spu_run,swapcontext,tgkill,times,unshare,utimensat_time64,vfork,wait4,waitid,waitpid
+@program-keep=arch_prctl,clock_getres,clock_getres_time64,clock_gettime,clock_gettime64,clock_nanosleep,clock_nanosleep_time64,exit,futex,gettimeofday,mmap,mmap2,mprotect,time
 @raw-io=ioperm,iopl,pciconfig_iobase,pciconfig_read,pciconfig_write,s390_pci_mmio_read,s390_pci_mmio_write
 @reboot=kexec_file_load,kexec_load,reboot
 @resources=getdtablesize,getrlimit,getrusage,ioprio_set,mbind,migrate_pages,mincore,move_pages,nice,osf_getrusage,prlimit64,sched_set_affinity,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy,set_mempolicy_home_node,setrlimit,ugetrlimit
@@ -61,9 +62,9 @@ Definition of groups
 Inheritance of groups
 ---------------------
 
-                               +---------------+
-                               | @default-keep |
-                               +---------------+
+                   +---------------+        +---------------+
+                   | @default-keep |        | @program-keep |
+                   +---------------+        +---------------+
 
 
    +----------------------+                    +-----------------+
diff --git a/src/include/syscall.h b/src/include/syscall.h
index 196126f43..66829d904 100644
--- a/src/include/syscall.h
+++ b/src/include/syscall.h
@@ -38,7 +38,7 @@ const char *errno_find_nr(int nr);
 void syscall_print(void);
 void syscall_print_32(void);
 void syscall_groups_print(void);
-void syscall_in_groups_print(const char *name);
+void syscall_in_groups_print(const char *groups_list);
 typedef void (filter_fn)(int fd, int syscall, int arg, void *ptrarg, bool native);
 int syscall_check_list(const char *slist, filter_fn *callback, int fd, int arg, void *ptrarg, bool native);
 const char *syscall_find_nr(int nr);
diff --git a/src/lib/syscall.c b/src/lib/syscall.c
index ad323972f..e958ca26a 100644
--- a/src/lib/syscall.c
+++ b/src/lib/syscall.c
@@ -420,42 +420,11 @@ static const SyscallGroupList sysgroups[] = {
 	  "__dummy_syscall__"
 	},
 	{ .name = "@default-keep",
-	  .description = "Minimal core exec and other syscalls usually kept even under strict filters.",
+	  .description = "System calls needed by Firejail itself, kept even under strict filters.",
 	  .list =
-#ifdef SYS_arch_prctl
-	  "arch_prctl," // breaks glibc, i386 and x86_64 only
-#endif
-	  "clock_getres," // clock_getres*, stop programs that try to read theoretical resolution
-#ifdef SYS_clock_getres_time64
-	  "clock_getres_time64,"
-#endif
-	  "clock_gettime," // *gettime* and time, stop programs that try to read time
-#ifdef SYS_clock_gettime64
-	  "clock_gettime64,"
-#endif
-	  "clock_nanosleep," // clock_nanosleep*, stop programs that try to use sleep functions
-#ifdef SYS_clock_nanosleep_time64
-	  "clock_nanosleep_time64,"
-#endif
-#ifdef SYS_execv
-	  "execv," // sparc only
-#endif
 	  "execve,"
 	  "execveat," // commonly used by fexecve
-	  "exit," // breaks most Qt applications
-	  "futex," // frequently used and causes breakages
-	  "gettimeofday,"
-#ifdef SYS_mmap
-	  "mmap," // cannot load shared libraries
-#endif
-#ifdef SYS_mmap2
-	  "mmap2,"
-#endif
-	  "mprotect," // cannot load shared libraries
 	  "prctl,"
-#ifdef SYS_time
-	  "time,"
-#endif
 	  "__dummy_syscall__"
 	},
 	{ .name = "@default-nodebuggers",
@@ -1112,6 +1081,9 @@ static const SyscallGroupList sysgroups[] = {
 #ifdef SYS_exec_with_loader
 	  "exec_with_loader,"
 #endif
+#ifdef SYS_execv
+	  "execv,"
+#endif
 #ifdef SYS_ftime
 	  "ftime,"
 #endif
@@ -1778,6 +1750,53 @@ static const SyscallGroupList sysgroups[] = {
 #endif
 #ifdef SYS_waitpid
 	  "waitpid,"
+#endif
+	  "__dummy_syscall__"
+	},
+	{ .name = "@program-keep", // syscalls in this group should never be present in `@default` and its sub-groups
+	  .description = "Some system calls commonly invoked by programs, blocking them can cause widespread breakage.",
+	  .list =
+#ifdef SYS_arch_prctl
+	  "arch_prctl," // breaks glibc, i386 and x86_64 only
+#endif
+#ifdef SYS_clock_getres
+	  "clock_getres," // clock_getres*, stop programs that try to read theoretical resolution
+#endif
+#ifdef SYS_clock_getres_time64
+	  "clock_getres_time64,"
+#endif
+#ifdef SYS_clock_gettime
+	  "clock_gettime," // *gettime* and time, stop programs that try to read time
+#endif
+#ifdef SYS_clock_gettime64
+	  "clock_gettime64,"
+#endif
+#ifdef SYS_clock_nanosleep
+	  "clock_nanosleep," // clock_nanosleep*, stop programs that try to use sleep functions
+#endif
+#ifdef SYS_clock_nanosleep_time64
+	  "clock_nanosleep_time64,"
+#endif
+#ifdef SYS_exit
+	  "exit," // breaks most Qt applications
+#endif
+#ifdef SYS_futex
+	  "futex," // frequently used and causes breakages
+#endif
+#ifdef SYS_gettimeofday
+	  "gettimeofday,"
+#endif
+#ifdef SYS_mmap
+	  "mmap," // cannot load shared libraries
+#endif
+#ifdef SYS_mmap2
+	  "mmap2,"
+#endif
+#ifdef SYS_mprotect
+	  "mprotect," // cannot load shared libraries
+#endif
+#ifdef SYS_time
+	  "time,"
 #endif
 	  "__dummy_syscall__"
 	},
diff --git a/src/man/firejail.1.in b/src/man/firejail.1.in
index 8bd933fbb..6f61209ee 100644
--- a/src/man/firejail.1.in
+++ b/src/man/firejail.1.in
@@ -2702,7 +2702,7 @@ To help creating useful seccomp filters more easily, the following
 system call groups are defined: @aio, @basic-io, @chown, @clock,
 @cpu-emulation, @debug, @default, @default-nodebuggers, @default-keep,
 @file-system, @io-event, @ipc, @keyring, @memfd, @memlock, @module, @mount,
-@network-io, @obsolete, @privileged, @process, @raw-io, @reboot,
+@network-io, @obsolete, @privileged, @process, @program-keep, @raw-io, @reboot,
 @resources, @sandbox, @setuid, @swap, @sync, @system-service and @timer.
 More information about groups can be found in /usr/share/doc/firejail/syscalls.txt and see also \-\-debug-syscall-groups.
 .br