diff --git a/docs/config.md b/docs/config.md
index 2880cd3e5b..86699be64a 100644
--- a/docs/config.md
+++ b/docs/config.md
@@ -586,6 +586,14 @@ The following settings are available:
 `docker.fixOwnership`
 : Fix ownership of files created by the docker container.
 
+`docker.fusionOptions`
+: :::{versionadded} 23.01.0-edge
+  :::
+: :::{versionchanged} 23.10.0
+  The default options were changed from `'--rm --privileged'` to the current default.
+  :::
+: The extra command line options to be used with Fusion (default: `'--rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined'`).
+
 `docker.legacy`
 : Use command line options removed since Docker 1.10.0 (default: `false`).
 
@@ -1321,6 +1329,14 @@ The following settings are available:
 `podman.envWhitelist`
 : Comma separated list of environment variable names to be included in the container environment.
 
+`podman.fusionOptions`
+: :::{versionadded} 23.01.0-edge
+  :::
+: :::{versionchanged} 23.10.0
+  The default options were changed from `'--rm --privileged'` to the current default.
+  :::
+: The extra command line options to be used with Fusion (default: `'--rm --device /dev/fuse'`).
+
 `podman.mountFlags`
 : Add the specified flags to the volume mounts e.g. `mountFlags = 'ro,Z'`.
 
diff --git a/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy b/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
index 0709832455..1a0f1ab889 100644
--- a/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
+++ b/modules/nextflow/src/main/groovy/nextflow/container/ContainerConfig.groovy
@@ -124,8 +124,10 @@ class ContainerConfig extends LinkedHashMap {
         final eng = getEngine()
         if( !eng )
             return null
-        if( eng=='docker' || eng=='podman' )
-            return '--rm --privileged'
+        if( eng=='docker' )
+            return '--rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined'
+        if( eng=='podman' )
+            return '--rm --device /dev/fuse'
         if( isSingularityOciMode() )
             return '-B /dev/fuse'
         if( eng=='singularity' || eng=='apptainer' )
diff --git a/modules/nextflow/src/test/groovy/nextflow/container/ContainerConfigTest.groovy b/modules/nextflow/src/test/groovy/nextflow/container/ContainerConfigTest.groovy
index 30651ff32e..d8bbac3df3 100644
--- a/modules/nextflow/src/test/groovy/nextflow/container/ContainerConfigTest.groovy
+++ b/modules/nextflow/src/test/groovy/nextflow/container/ContainerConfigTest.groovy
@@ -102,8 +102,8 @@ class ContainerConfigTest extends Specification {
         where:
         OPTS                                            | EXPECTED
         [:]                                             | null
-        [engine:'docker']                               | '--rm --privileged'
-        [engine:'podman']                               | '--rm --privileged'
+        [engine:'docker']                               | '--rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined'
+        [engine:'podman']                               | '--rm --device /dev/fuse'
         and:
         [engine: 'singularity']                         | null
         [engine: 'singularity', ociMode:true]           | '-B /dev/fuse'
diff --git a/modules/nextflow/src/test/groovy/nextflow/executor/fusion/FusionHelperTest.groovy b/modules/nextflow/src/test/groovy/nextflow/executor/fusion/FusionHelperTest.groovy
index 697cdd5238..850aebf775 100644
--- a/modules/nextflow/src/test/groovy/nextflow/executor/fusion/FusionHelperTest.groovy
+++ b/modules/nextflow/src/test/groovy/nextflow/executor/fusion/FusionHelperTest.groovy
@@ -64,9 +64,9 @@ class FusionHelperTest extends Specification {
 
         where:
         CONFIG                  | ENV               | NAME          | OPTS          | CMD                   | EXPECTED
-        [engine:'docker']       | [:]               | 'image:1'     | null          | ['echo', 'hello']     | "docker run -i --rm --privileged image:1 echo 'hello'"
-        [engine:'docker']       | [FOO:'one']       | 'image:2'     | null          | ['echo', 'hello']     | "docker run -i -e \"FOO=one\" --rm --privileged image:2 echo 'hello'"
-        [engine:'docker']       | [FOO:'one']       | 'image:2'     | '--this=that' | ['echo', 'hello']     | "docker run -i -e \"FOO=one\" --this=that --rm --privileged image:2 echo 'hello'"
+        [engine:'docker']       | [:]               | 'image:1'     | null          | ['echo', 'hello']     | "docker run -i --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined image:1 echo 'hello'"
+        [engine:'docker']       | [FOO:'one']       | 'image:2'     | null          | ['echo', 'hello']     | "docker run -i -e \"FOO=one\" --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined image:2 echo 'hello'"
+        [engine:'docker']       | [FOO:'one']       | 'image:2'     | '--this=that' | ['echo', 'hello']     | "docker run -i -e \"FOO=one\" --this=that --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined image:2 echo 'hello'"
         and:
         [engine:'singularity']  | [:]               | 'image:1'     | null          | ['echo', 'hello']     | "set +u; env - PATH=\"\$PATH\" \${TMP:+SINGULARITYENV_TMP=\"\$TMP\"} \${TMPDIR:+SINGULARITYENV_TMPDIR=\"\$TMPDIR\"} singularity exec --no-home --pid image:1 echo 'hello'"
         [engine:'singularity']  | [FOO:'one']       | 'image:1'     | null          | ['echo', 'hello']     | "set +u; env - PATH=\"\$PATH\" \${TMP:+SINGULARITYENV_TMP=\"\$TMP\"} \${TMPDIR:+SINGULARITYENV_TMPDIR=\"\$TMPDIR\"} SINGULARITYENV_FOO=\"one\" singularity exec --no-home --pid image:1 echo 'hello'"
diff --git a/modules/nextflow/src/test/groovy/nextflow/executor/local/LocalTaskHandlerTest.groovy b/modules/nextflow/src/test/groovy/nextflow/executor/local/LocalTaskHandlerTest.groovy
index 7b5ac1e0ec..89d04d6335 100644
--- a/modules/nextflow/src/test/groovy/nextflow/executor/local/LocalTaskHandlerTest.groovy
+++ b/modules/nextflow/src/test/groovy/nextflow/executor/local/LocalTaskHandlerTest.groovy
@@ -75,7 +75,7 @@ class LocalTaskHandlerTest extends Specification {
         then:
         handler.fusionEnabled() >> true
         and:
-        builder.command() == ['sh','-c','docker run -i -e "FUSION_WORK=/fusion/http/some/work/dir" -e "FUSION_TAGS=[.command.*|.exitcode|.fusion.*](nextflow.io/metadata=true),[*](nextflow.io/temporary=true)" --rm --privileged ubuntu:latest /usr/bin/fusion bash \'/fusion/http/some/work/dir/.command.run\'']
+        builder.command() == ['sh','-c','docker run -i -e "FUSION_WORK=/fusion/http/some/work/dir" -e "FUSION_TAGS=[.command.*|.exitcode|.fusion.*](nextflow.io/metadata=true),[*](nextflow.io/temporary=true)" --rm --device /dev/fuse --security-opt apparmor=unconfined --security-opt seccomp=unconfined ubuntu:latest /usr/bin/fusion bash \'/fusion/http/some/work/dir/.command.run\'']
         builder.directory() == null
         builder.redirectErrorStream()
         builder.redirectOutput().file()
diff --git a/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy b/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
index 0a1c3ef3fc..d6c0acd39b 100644
--- a/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
+++ b/plugins/nf-wave/src/main/io/seqera/wave/plugin/cli/WaveDebugCmd.groovy
@@ -118,7 +118,7 @@ class WaveDebugCmd {
 
     protected WaveRunCmd buildWaveRunCmd(String scheme) {
         final result = new WaveRunCmd(session)
-        result.withContainerParams([tty:true, privileged: true])
+        result.withContainerParams([tty:true])
         if( scheme=='s3' ) {
             result.withEnvironment('AWS_ACCESS_KEY_ID')
             result.withEnvironment('AWS_SECRET_ACCESS_KEY')