diff --git a/src/mountfsd/mountwork.c b/src/mountfsd/mountwork.c
index 141d8f62de..32c0420ad0 100644
--- a/src/mountfsd/mountwork.c
+++ b/src/mountfsd/mountwork.c
@@ -449,7 +449,9 @@ static int vl_method_mount_image(
                 DISSECT_IMAGE_ADD_PARTITION_DEVICES |
                 DISSECT_IMAGE_PIN_PARTITION_DEVICES |
                 (p.verity_sharing ? DISSECT_IMAGE_VERITY_SHARE : 0) |
-                (p.verity_data_fd_idx != UINT_MAX ? DISSECT_IMAGE_NO_PARTITION_TABLE : 0) |
+                /* Maybe the image is a bare filesystem. Note that this requires privileges, as it is
+                 * classified by the policy as an 'unprotected' image and will be refused otherwise. */
+                DISSECT_IMAGE_NO_PARTITION_TABLE |
                 DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
 
         /* Let's see if we have acquired the privilege to mount untrusted images already */
diff --git a/test/units/TEST-50-DISSECT.mountfsd.sh b/test/units/TEST-50-DISSECT.mountfsd.sh
index cca502dfcb..92d497903f 100755
--- a/test/units/TEST-50-DISSECT.mountfsd.sh
+++ b/test/units/TEST-50-DISSECT.mountfsd.sh
@@ -93,6 +93,15 @@ if [ "$VERITY_SIG_SUPPORTED" -eq 1 ]; then
     mv /tmp/app0.roothash.p7s.bak /tmp/app0.roothash.p7s
 fi
 
+# Bare squashfs without any verity or signature also should be rejected, even if we ask to trust it
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    true)
+(! systemd-run -M testuser@ --user --pipe --wait \
+    --property ExtensionImages=/tmp/app1.raw \
+    --property ExtensionImagePolicy=root=verity+signed+unprotected+absent:usr=verity+signed+unprotected+absent \
+    true)
+
 # Install key in keychain
 mkdir -p /run/verity.d
 cp /tmp/test-50-unpriv-cert.crt /run/verity.d/