diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-web.service b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
index 0cfef4b..c6d6477 100644
--- a/deploy/files/usr/local/lib/systemd/system/left4me-web.service
+++ b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
@@ -16,10 +16,13 @@ ExecStart=/opt/left4me/.venv/bin/gunicorn --workers 1 --threads 8 --bind 0.0.0.0
 Restart=on-failure
 RestartSec=3
 # NoNewPrivileges intentionally not set: the worker invokes fusermount3
-# (setuid-root) to mount FUSE overlays and sudo to run the systemctl
-# wrapper. NoNewPrivileges blocks both. Hardening is still provided by
-# dedicated user, PrivateTmp, ProtectSystem=full, and narrow sudoers.
-PrivateTmp=true
+# (setuid-root) and sudo to run the systemctl wrapper.
+# PrivateTmp intentionally not set: it creates a private mount
+# namespace, which would hide per-instance fuse-overlayfs mounts from
+# the host and the gameserver units. The mount must land in the host
+# namespace so the systemd-managed gameserver service inherits it at
+# unshare time. Remaining hardening: dedicated user, ProtectSystem,
+# ReadWritePaths, narrow sudoers allowlist.
 ProtectSystem=full
 ReadWritePaths=/var/lib/left4me