diff --git a/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy b/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
index 44cc070156..f32604ff62 100644
--- a/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
+++ b/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
@@ -124,9 +124,11 @@ class ContainerConfig extends LinkedHashMap {
         final eng = getEngine()
         if( !eng )
             return null
-        if( eng=='docker' || eng=='podman' )
-            return '--rm --privileged'
-        if( isSingularityOciMode() )
+        if( eng=='docker' )
+            return '--rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined'
+        if( eng=='podman' )
+            return '--rm --device /dev/fuse'
+        if( singularityOciMode() )
             return '-B /dev/fuse'
         if( eng=='singularity' || eng=='apptainer' )
             return null
diff --git a/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy b/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
index fcab901185..57843c25ac 100644
--- a/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
+++ b/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
@@ -118,7 +118,7 @@ class WaveDebugCmd {
 
     protected WaveRunCmd buildWaveRunCmd(String scheme) {
         final result = new WaveRunCmd(session)
-        result.withContainerParams([tty:true, privileged: true])
+        result.withContainerParams([tty:true])
         if( scheme=='s3' ) {
             result.withEnvironment('AWS_ACCESS_KEY_ID')
             result.withEnvironment('AWS_SECRET_ACCESS_KEY')