diff --git a/engine/compiler/compiler.go b/engine/compiler/compiler.go
index 418523a..57627e9 100644
--- a/engine/compiler/compiler.go
+++ b/engine/compiler/compiler.go
@@ -463,6 +463,8 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
 	if len(step.Entrypoint) > 0 {
 		return false
 	}
+	// privileged-by-default mode is disabled if the
+	// pipeline step mounts a restricted volume.
 	for _, mount := range step.Volumes {
 		path, _ := filepath.Abs(mount.MountPath)
 		path = strings.ToLower(path)
@@ -473,6 +475,24 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
 			return false
 		case strings.Contains(path, "/var/run"):
 			return false
+		case strings.Contains(path, "/proc"):
+			return false
+		case strings.Contains(path, "/mount"):
+			return false
+		case strings.Contains(path, "/bin"):
+			return false
+		case strings.Contains(path, "/usr/local/bin"):
+			return false
+		case strings.Contains(path, "/mnt"):
+			return false
+		case strings.Contains(path, "/media"):
+			return false
+		case strings.Contains(path, "/sys"):
+			return false
+		case strings.Contains(path, "/dev"):
+			return false
+		case strings.Contains(path, "/etc/docker"):
+			return false
 		}
 	}
 	// if the container image matches any image