diff --git a/core/archipelago/src/container/hooks.rs b/core/archipelago/src/container/hooks.rs
index f75cf36b..771b6f4e 100644
--- a/core/archipelago/src/container/hooks.rs
+++ b/core/archipelago/src/container/hooks.rs
@@ -97,26 +97,44 @@ async fn run_step(
             args.push("exec");
             args.push(container);
             args.extend(exec.iter().map(String::as_str));
-            run_podman(&args).await
+            // `exec` spawns a process INSIDE the container's cgroup. When the
+            // container was started by archipelago.service, that cgroup is under
+            // the service's slice and a bare `podman exec` from the service can't
+            // write its `cgroup.procs` ("crun: ... Permission denied / OCI
+            // permission denied"). Run it in a transient user scope (its own
+            // delegated cgroup) — mirrors `podman_user_scope` for pasta starts.
+            run_podman(&args, /* scoped */ true).await
         }
         HookStep::CopyFromHost { copy_from_host } => {
             let abs = resolve_copy_src(&copy_from_host.src, app_id, data_dir)?;
             let abs = abs.to_string_lossy().into_owned();
             let dest = format!("{container}:{}", copy_from_host.dest);
-            run_podman(&["cp", &abs, &dest]).await
+            // `cp` is a host-side copy (no in-container process), so no scope needed.
+            run_podman(&["cp", &abs, &dest], /* scoped */ false).await
         }
     }
 }
 
-async fn run_podman(args: &[&str]) -> Result<()> {
+/// Run a podman command, optionally inside a transient systemd user scope. The
+/// scope gives the invocation its own delegated cgroup so `podman exec` can
+/// place its child process — without it, an exec launched from the service's
+/// own cgroup is denied write to the container's `cgroup.procs`.
+async fn run_podman(args: &[&str], scoped: bool) -> Result<()> {
     let rendered = args.join(" ");
-    let out = tokio::time::timeout(
-        HOOK_TIMEOUT,
-        tokio::process::Command::new("podman").args(args).output(),
-    )
-    .await
-    .map_err(|_| anyhow::anyhow!("podman {rendered} timed out after {:?}", HOOK_TIMEOUT))?
-    .map_err(|e| anyhow::anyhow!("podman {rendered}: {e}"))?;
+    let mut cmd = if scoped {
+        let mut c = tokio::process::Command::new("systemd-run");
+        c.args(["--user", "--scope", "--quiet", "--collect", "podman"]);
+        c.args(args);
+        c
+    } else {
+        let mut c = tokio::process::Command::new("podman");
+        c.args(args);
+        c
+    };
+    let out = tokio::time::timeout(HOOK_TIMEOUT, cmd.output())
+        .await
+        .map_err(|_| anyhow::anyhow!("podman {rendered} timed out after {:?}", HOOK_TIMEOUT))?
+        .map_err(|e| anyhow::anyhow!("podman {rendered}: {e}"))?;
 
     if !out.status.success() {
         bail!(