diff --git a/src/backend/kms/socket.rs b/src/backend/kms/socket.rs
index abde22c3..377a9c6d 100644
--- a/src/backend/kms/socket.rs
+++ b/src/backend/kms/socket.rs
@@ -96,7 +96,10 @@ impl State {
             .insert_source(listener, move |client_stream, _, state: &mut State| {
                 if let Err(err) = state.common.display_handle.insert_client(
                     client_stream,
-                    Arc::new(state.new_client_state_with_node(render_node)),
+                    Arc::new(ClientState {
+                        advertised_drm_node: Some(render_node),
+                        ..state.new_client_state()
+                    }),
                 ) {
                     warn!(
                         socket_name = socket_name_clone,
diff --git a/src/main.rs b/src/main.rs
index 28d51a93..9ec805b6 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -13,7 +13,9 @@ use std::{env, ffi::OsString, os::unix::process::CommandExt, process, sync::Arc}
 use tracing::{error, info, warn};
 
 use crate::{
-    shell::SeatExt, state::BackendData, wayland::handlers::compositor::client_compositor_state,
+    shell::SeatExt,
+    state::{BackendData, ClientState},
+    wayland::handlers::compositor::client_compositor_state,
 };
 
 pub mod backend;
@@ -198,14 +200,12 @@ fn init_wayland_display(
                 _ => None,
             };
 
+            let client_state = state.new_client_state();
             if let Err(err) = state.common.display_handle.insert_client(
                 client_stream,
-                Arc::new(if cfg!(debug_assertions) {
-                    state.new_privileged_client_state()
-                } else if let Some(node) = node {
-                    state.new_client_state_with_node(node)
-                } else {
-                    state.new_client_state()
+                Arc::new(ClientState {
+                    advertised_drm_node: node.or(client_state.advertised_drm_node),
+                    ..client_state
                 }),
             ) {
                 warn!(?err, "Error adding wayland client")
diff --git a/src/session.rs b/src/session.rs
index 72eff23f..536d6086 100644
--- a/src/session.rs
+++ b/src/session.rs
@@ -19,7 +19,7 @@ use std::{
 };
 use tracing::{error, warn};
 
-use crate::state::State;
+use crate::state::{ClientState, State};
 
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "snake_case", tag = "message")]
@@ -146,7 +146,11 @@ pub fn setup_socket(handle: LoopHandle<State>, state: &State) -> Result<()> {
                                                         continue;
                                                     }
                                                     let stream = unsafe { UnixStream::from_raw_fd(fd) };
-                                                    if let Err(err) = state.common.display_handle.insert_client(stream, Arc::new(state.new_privileged_client_state())) {
+                                                    let client_state = Arc::new(ClientState {
+                                                        privileged: true,
+                                                        ..state.new_client_state()
+                                                    });
+                                                    if let Err(err) = state.common.display_handle.insert_client(stream, client_state) {
                                                         warn!(?err, "Failed to add privileged client to display");
                                                     }
                                                 }
diff --git a/src/state.rs b/src/state.rs
index a23c0496..97c90720 100644
--- a/src/state.rs
+++ b/src/state.rs
@@ -364,8 +364,8 @@ pub fn client_is_privileged(client: &Client) -> bool {
         .map_or(false, |client_state| client_state.privileged)
 }
 
-pub fn client_should_see_privileged_protocols(client: &Client) -> bool {
-    if std::env::var("COSMIC_ENABLE_WAYLAND_SECURITY")
+fn enable_wayland_security() -> bool {
+    std::env::var("COSMIC_ENABLE_WAYLAND_SECURITY")
         .map(|x| {
             x == "1"
                 || x.to_lowercase() == "true"
@@ -373,11 +373,6 @@ pub fn client_should_see_privileged_protocols(client: &Client) -> bool {
                 || x.to_lowercase() == "y"
         })
         .unwrap_or(false)
-    {
-        client_is_privileged(client)
-    } else {
-        client_is_privileged(client) || client_has_no_security_context(client)
-    }
 }
 
 impl State {
@@ -409,14 +404,11 @@ impl State {
         let fractional_scale_state = FractionalScaleManagerState::new::<State>(dh);
         let keyboard_shortcuts_inhibit_state = KeyboardShortcutsInhibitState::new::<Self>(dh);
         let output_state = OutputManagerState::new_with_xdg_output::<Self>(dh);
-        let output_configuration_state =
-            OutputConfigurationState::new(dh, client_should_see_privileged_protocols);
+        let output_configuration_state = OutputConfigurationState::new(dh, client_is_privileged);
         let presentation_state = PresentationState::new::<Self>(dh, clock.id() as u32);
         let primary_selection_state = PrimarySelectionState::new::<Self>(dh);
-        let image_source_state =
-            ImageSourceState::new::<Self, _>(dh, client_should_see_privileged_protocols);
-        let screencopy_state =
-            ScreencopyState::new::<Self, _>(dh, client_should_see_privileged_protocols);
+        let image_source_state = ImageSourceState::new::<Self, _>(dh, client_is_privileged);
+        let screencopy_state = ScreencopyState::new::<Self, _>(dh, client_is_privileged);
         let shm_state =
             ShmState::new::<Self>(dh, vec![wl_shm::Format::Xbgr8888, wl_shm::Format::Abgr8888]);
         let seat_state = SeatState::<Self>::new();
@@ -425,15 +417,15 @@ impl State {
         let kde_decoration_state = KdeDecorationState::new::<Self>(&dh, Mode::Client);
         let xdg_decoration_state = XdgDecorationState::new::<Self>(&dh);
         let session_lock_manager_state =
-            SessionLockManagerState::new::<Self, _>(&dh, client_should_see_privileged_protocols);
+            SessionLockManagerState::new::<Self, _>(&dh, client_is_privileged);
         XWaylandKeyboardGrabState::new::<Self>(&dh);
         PointerConstraintsState::new::<Self>(&dh);
         PointerGesturesState::new::<Self>(&dh);
         TabletManagerState::new::<Self>(&dh);
         SecurityContextState::new::<Self, _>(&dh, client_has_no_security_context);
-        InputMethodManagerState::new::<Self, _>(&dh, client_should_see_privileged_protocols);
+        InputMethodManagerState::new::<Self, _>(&dh, client_is_privileged);
         TextInputManagerState::new::<Self>(&dh);
-        VirtualKeyboardManagerState::new::<State, _>(&dh, client_should_see_privileged_protocols);
+        VirtualKeyboardManagerState::new::<State, _>(&dh, client_is_privileged);
 
         let idle_notifier_state = IdleNotifierState::<Self>::new(&dh, handle.clone());
         let idle_inhibit_manager_state = IdleInhibitManagerState::new::<State>(&dh);
@@ -445,10 +437,8 @@ impl State {
 
         let shell = Arc::new(RwLock::new(Shell::new(&config)));
 
-        let layer_shell_state = WlrLayerShellState::new_with_filter::<State, _>(
-            dh,
-            client_should_see_privileged_protocols,
-        );
+        let layer_shell_state =
+            WlrLayerShellState::new_with_filter::<State, _>(dh, client_is_privileged);
         let xdg_shell_state = XdgShellState::new_with_capabilities::<State>(
             dh,
             [
@@ -459,8 +449,7 @@ impl State {
             ],
         );
         let xdg_activation_state = XdgActivationState::new::<State>(dh);
-        let toplevel_info_state =
-            ToplevelInfoState::new(dh, client_should_see_privileged_protocols);
+        let toplevel_info_state = ToplevelInfoState::new(dh, client_is_privileged);
         let toplevel_management_state = ToplevelManagementState::new::<State, _>(
             dh,
             vec![
@@ -470,9 +459,9 @@ impl State {
                 ManagementCapabilities::Minimize,
                 ManagementCapabilities::MoveToWorkspace,
             ],
-            client_should_see_privileged_protocols,
+            client_is_privileged,
         );
-        let workspace_state = WorkspaceState::new(dh, client_should_see_privileged_protocols);
+        let workspace_state = WorkspaceState::new(dh, client_is_privileged);
 
         if let Err(err) = crate::dbus::init(&handle) {
             tracing::warn!(?err, "Failed to initialize dbus handlers");
@@ -548,32 +537,7 @@ impl State {
                 BackendData::Kms(kms_state) => Some(kms_state.primary_node),
                 _ => None,
             },
-            privileged: false,
-            evls: self.common.event_loop_signal.clone(),
-            security_context: None,
-        }
-    }
-
-    pub fn new_client_state_with_node(&self, drm_node: DrmNode) -> ClientState {
-        ClientState {
-            compositor_client_state: CompositorClientState::default(),
-            workspace_client_state: WorkspaceClientState::default(),
-            advertised_drm_node: Some(drm_node),
-            privileged: false,
-            evls: self.common.event_loop_signal.clone(),
-            security_context: None,
-        }
-    }
-
-    pub fn new_privileged_client_state(&self) -> ClientState {
-        ClientState {
-            compositor_client_state: CompositorClientState::default(),
-            workspace_client_state: WorkspaceClientState::default(),
-            advertised_drm_node: match &self.backend {
-                BackendData::Kms(kms_state) => Some(kms_state.primary_node),
-                _ => None,
-            },
-            privileged: true,
+            privileged: !enable_wayland_security(),
             evls: self.common.event_loop_signal.clone(),
             security_context: None,
         }