diff --git a/files/system/usr/share/ublue-os/just/70-secureblue.just b/files/system/usr/share/ublue-os/just/70-secureblue.just
index 29703af..6b20f51 100644
--- a/files/system/usr/share/ublue-os/just/70-secureblue.just
+++ b/files/system/usr/share/ublue-os/just/70-secureblue.just
@@ -652,6 +652,11 @@ audit-secureblue:
                 status="$STATUS_FAILURE"
                 warnings+=("> $f is not using hardened_malloc!")
             fi
+            if ! hasPermission "$permissions" "filesystems" "host-os:ro"; then
+                status="$STATUS_FAILURE"
+                warnings+=("> $f is missing host-os:ro permission,
+> which is needed to load hardened_malloc!")
+            fi
             if [[ "$bluetooth_loaded" == "true" ]] && hasPermission "$permissions" "features" "bluetooth"; then
                 status="$STATUS_FAILURE"
                 warnings+=("> $f has bluetooth access!")
@@ -664,6 +669,12 @@ audit-secureblue:
             status="$STATUS_FAILURE"
                 warnings+=("> $f has inter-process communications access!")
             fi
+            if hasPermission "$permissions" "devices" "all"; then
+                [[ "$status" != "$STATUS_FAILURE" ]] && status="$STATUS_WARNING"
+                warnings+=("> $f has device=all permission,
+> granting access to GPU, input devices, raw USB, and virtualization,
+> and introducing a vector for sandbox escapes!")
+            fi
             flatpak_test_string="Auditing $f"
             print_status "$flatpak_test_string" "$status"
             for warning in "${warnings[@]}"; do