diff --git a/src/core/namespace.c b/src/core/namespace.c
index e1a88f2455..6606d767ed 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -714,11 +714,16 @@ static int append_static_mounts(MountList *ml, const MountEntry *mounts, size_t
                 if (!me)
                         return log_oom_debug();
 
-                *me = (MountEntry) {
-                        .path_const = mount_entry_path(m),
-                        .mode = m->mode,
-                        .ignore = m->ignore || ignore_protect,
-                };
+                /* No dynamic values allowed. */
+                assert(m->path_const);
+                assert(!m->path_malloc);
+                assert(!m->unprefixed_path_malloc);
+                assert(!m->source_malloc);
+                assert(!m->options_malloc);
+                assert(!m->overlay_layers);
+
+                *me = *m;
+                me->ignore = me->ignore || ignore_protect;
         }
 
         return 0;
diff --git a/test/units/TEST-07-PID1.exec-context.sh b/test/units/TEST-07-PID1.exec-context.sh
index 0809460955..46fb1f79e8 100755
--- a/test/units/TEST-07-PID1.exec-context.sh
+++ b/test/units/TEST-07-PID1.exec-context.sh
@@ -55,13 +55,22 @@ if [[ -z "${COVERAGE_BUILD_DIR:-}" ]]; then
         bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK"
     systemd-run --wait --pipe -p ProtectHome=read-only \
         bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test -e $MARK"
-    systemd-run --wait --pipe -p ProtectHome=tmpfs \
-        bash -xec "test -w /home; test -w /root; test -w /run/user; test ! -e $MARK"
+    systemd-run --wait --pipe -p ProtectHome=tmpfs -p TemporaryFileSystem=/home/foo \
+        bash -xec "test ! -w /home; test ! -w /root; test ! -w /run/user; test ! -e $MARK; test -w /home/foo"
     systemd-run --wait --pipe -p ProtectHome=no \
         bash -xec "test -w /home; test -w /root; test -w /run/user; test -e $MARK"
     rm -f "$MARK"
 fi
 
+systemd-run --wait --pipe -p PrivateMounts=true -p MountAPIVFS=yes \
+    bash -xec '[[ "$(findmnt --mountpoint /proc --noheadings -o FSTYPE)" == proc ]];
+               [[ "$$(findmnt --mountpoint /dev --noheadings -o FSTYPE)" =~ (devtmpfs|tmpfs) ]];
+               [[ "$$(findmnt --mountpoint /sys --noheadings -o FSTYPE)" =~ (sysfs|tmpfs) ]];
+               [[ "$$(findmnt --mountpoint /run --noheadings -o FSTYPE)" == tmpfs ]];
+               [[ "$$(findmnt --mountpoint /run --noheadings -o VFS-OPTIONS)" =~ rw ]];
+               [[ "$$(findmnt --mountpoint /run --noheadings -o VFS-OPTIONS)" =~ nosuid ]];
+               [[ "$$(findmnt --mountpoint /run --noheadings -o VFS-OPTIONS)" =~ nodev ]]'
+
 if proc_supports_option "hidepid=off"; then
     systemd-run --wait --pipe -p ProtectProc=noaccess -p User=testuser \
         bash -xec 'test -e /proc/1; test ! -r /proc/1; test -r /proc/$$$$/comm'