diff --git a/services/qbittorrent.nix b/services/qbittorrent.nix
index 666385d..0591e18 100644
--- a/services/qbittorrent.nix
+++ b/services/qbittorrent.nix
@@ -23,7 +23,9 @@ in
     (lib.serviceFilePerms "qbittorrent" [
       # 0770: group (media) needs write to delete files during upgrades —
       # Radarr/Sonarr must unlink the old file before placing the new one.
-      "Z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.media_group}"
+      # Non-recursive (z not Z): UMask=0007 ensures new files get correct perms.
+      # A recursive Z rule would walk millions of files on the HDD pool at every boot.
+      "z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.media_group}"
       "z ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
       "Z ${config.services.qbittorrent.profileDir} 0700 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}"
     ])