diff --git a/elements/vm-secure/common-deps.bst b/elements/vm-secure/common-deps.bst
index dda42653db3b0e023010301fec63bb4b5152e2b4..0d6740cd8edf8245163cad80bb47b1e7d4b4709b 100644
--- a/elements/vm-secure/common-deps.bst
+++ b/elements/vm-secure/common-deps.bst
@@ -20,6 +20,7 @@ depends:
 - vm-deps/efitools-maybe.bst
 - vm-secure/reload-sysext.bst
 - vm-deps/mokutil.bst
+- vm-secure/var-flatpak-subvol.bst
 
 (?):
 - arch in ["x86_64"]:
diff --git a/elements/vm-secure/usr-image.bst b/elements/vm-secure/usr-image.bst
index 5dd049d9618b8ad9cbcedb0b3e161e8b365ef137..064395e3e2e7a919b41157b5a78145f2c931e47c 100644
--- a/elements/vm-secure/usr-image.bst
+++ b/elements/vm-secure/usr-image.bst
@@ -22,7 +22,7 @@ config:
        --seed "%{sysroot-seed}" \
        --rootsource /dev/gpt-auto-root \
        --rootfstype btrfs \
-       --rootfsopts relatime \
+       --rootfsopts relatime,nodev,nosuid,noexec \
        --noboot >'%{install-root}/vars.txt'
 
   - |
diff --git a/elements/vm-secure/var-flatpak-subvol.bst b/elements/vm-secure/var-flatpak-subvol.bst
new file mode 100644
index 0000000000000000000000000000000000000000..58db4fd3866dad920c1d10b6787e85e54dccb71b
--- /dev/null
+++ b/elements/vm-secure/var-flatpak-subvol.bst
@@ -0,0 +1,20 @@
+kind: manual
+
+depends:
+- filename: freedesktop-sdk.bst:components/systemd.bst
+
+config:
+  install-commands:
+  - |
+    mkdir -p "%{install-root}%{indep-libdir}/systemd/system/"
+    install -m 644 -t "%{install-root}%{indep-libdir}/systemd/system/" var-lib-flatpak.mount
+
+    mkdir -p "%{install-root}%{indep-libdir}/tmpfiles.d/"
+    install -m 644 -t "%{install-root}%{indep-libdir}/tmpfiles.d/" flatpak-subvolume.conf
+
+sources:
+- kind: local
+  path: files/var-flatpak-subvol/var-lib-flatpak.mount
+- kind: local
+  path: files/var-flatpak-subvol/flatpak-subvolume.conf
+
diff --git a/files/var-flatpak-subvol/flatpak-subvolume.conf b/files/var-flatpak-subvol/flatpak-subvolume.conf
new file mode 100644
index 0000000000000000000000000000000000000000..bc3a87c79354a969899ffe676d33691c3bb13f98
--- /dev/null
+++ b/files/var-flatpak-subvol/flatpak-subvolume.conf
@@ -0,0 +1 @@
+v /var/lib/flatpak 0755 root root - -
diff --git a/files/var-flatpak-subvol/var-lib-flatpak.mount b/files/var-flatpak-subvol/var-lib-flatpak.mount
new file mode 100644
index 0000000000000000000000000000000000000000..ff04c3698247f178bbee4e2a2735fafbf2600412
--- /dev/null
+++ b/files/var-flatpak-subvol/var-lib-flatpak.mount
@@ -0,0 +1,14 @@
+[Unit]
+Conflicts=umount.target
+Before=umount.target
+After=systemd-tmpfiles-setup.service
+After=blockdev@dev-gpt\x2dauto\x2droot.target
+
+[Install]
+WantedBy=graphical.target
+
+[Mount]
+What=/dev/gpt-auto-root
+Where=/var/lib/flatpak
+Type=btrfs
+Options=relatime,nodev,nosuid,subvol=var/lib/flatpak,x-systemd.after=systemd-tmpfiles-setup.service,x-systemd.wanted-by=local-fs.target