diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c
index 43e15fcc3d..671a6a26fd 100644
--- a/src/switchroot/ostree-prepare-root.c
+++ b/src/switchroot/ostree-prepare-root.c
@@ -244,6 +244,17 @@ main(int argc, char *argv[])
         err (EXIT_FAILURE, "failed to MS_MOVE %s to %s", deploy_path, root_mountpoint);
     }
 
+  /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache
+   * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache
+   *
+   * Now in reality, today this is overridden by systemd: the *actual* way we fix this up
+   * is in ostree-remount.c.  But let's do it here to express the semantics we want
+   * at the very start (perhaps down the line systemd will have compile/runtime option
+   * to say that the initramfs environment did everything right from the start).
+   */
+  if (mount ("none", "sysroot", NULL, MS_PRIVATE, NULL) < 0)
+    err (EXIT_FAILURE, "remounting 'sysroot' private");
+
   if (getpid() == 1)
     {
       execl ("/sbin/init", "/sbin/init", NULL);
diff --git a/src/switchroot/ostree-remount.c b/src/switchroot/ostree-remount.c
index fe6b6f44b1..cc2b81b3e1 100644
--- a/src/switchroot/ostree-remount.c
+++ b/src/switchroot/ostree-remount.c
@@ -44,6 +44,15 @@ main(int argc, char *argv[])
   struct stat stbuf;
   int i;
 
+  /* The /sysroot mount needs to be private to avoid having a mount for e.g. /var/cache
+   * also propagate to /sysroot/ostree/deploy/$stateroot/var/cache
+   *
+   * Today systemd remounts / (recursively) as shared, so we're undoing that as early
+   * as possible.  See also a copy of this in ostree-prepare-root.c.
+   */
+  if (mount ("none", "/sysroot", NULL, MS_REC | MS_PRIVATE, NULL) < 0)
+    perror ("warning: While remounting /sysroot MS_PRIVATE");
+
   if (path_is_on_readonly_fs ("/"))
     {
       /* If / isn't writable, don't do any remounts; we don't want