diff --git a/engine/compiler/compiler.go b/engine/compiler/compiler.go
index 57627e9..3b53f00 100644
--- a/engine/compiler/compiler.go
+++ b/engine/compiler/compiler.go
@@ -6,7 +6,6 @@ package compiler
 
 import (
 	"context"
-	"path/filepath"
 	"strings"
 
 	"github.com/drone-runners/drone-runner-docker/engine"
@@ -466,32 +465,7 @@ func (c *Compiler) isPrivileged(step *resource.Step) bool {
 	// privileged-by-default mode is disabled if the
 	// pipeline step mounts a restricted volume.
 	for _, mount := range step.Volumes {
-		path, _ := filepath.Abs(mount.MountPath)
-		path = strings.ToLower(path)
-		switch {
-		case path == "/":
-			return false
-		case path == "/var":
-			return false
-		case strings.Contains(path, "/var/run"):
-			return false
-		case strings.Contains(path, "/proc"):
-			return false
-		case strings.Contains(path, "/mount"):
-			return false
-		case strings.Contains(path, "/bin"):
-			return false
-		case strings.Contains(path, "/usr/local/bin"):
-			return false
-		case strings.Contains(path, "/mnt"):
-			return false
-		case strings.Contains(path, "/media"):
-			return false
-		case strings.Contains(path, "/sys"):
-			return false
-		case strings.Contains(path, "/dev"):
-			return false
-		case strings.Contains(path, "/etc/docker"):
+		if isRestrictedVolume(mount.MountPath) {
 			return false
 		}
 	}
diff --git a/engine/compiler/util.go b/engine/compiler/util.go
index 81806c2..1a9d3f4 100644
--- a/engine/compiler/util.go
+++ b/engine/compiler/util.go
@@ -5,6 +5,7 @@
 package compiler
 
 import (
+	"path/filepath"
 	"strings"
 
 	"github.com/drone-runners/drone-runner-docker/engine"
@@ -136,3 +137,27 @@ func convertPullPolicy(s string) engine.PullPolicy {
 		return engine.PullDefault
 	}
 }
+
+// helper function returns true if mounting the volume
+// is restricted for un-trusted containers.
+func isRestrictedVolume(path string) bool {
+	path, _ = filepath.Abs(path)
+	path = strings.ToLower(path)
+	switch {
+	case path == "/":
+	case path == "/var":
+	case strings.Contains(path, "/var/run"):
+	case strings.Contains(path, "/proc"):
+	case strings.Contains(path, "/mount"):
+	case strings.Contains(path, "/bin"):
+	case strings.Contains(path, "/usr/local/bin"):
+	case strings.Contains(path, "/mnt"):
+	case strings.Contains(path, "/media"):
+	case strings.Contains(path, "/sys"):
+	case strings.Contains(path, "/dev"):
+	case strings.Contains(path, "/etc/docker"):
+	default:
+		return false
+	}
+	return true
+}