diff --git a/src/libstore/daemon.cc b/src/libstore/daemon.cc
index dfc068bc7..4bca75228 100644
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -730,6 +730,7 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
         options.action = (GCOptions::GCAction) readInt(conn.from);
         options.pathsToDelete = WorkerProto::Serialise<StorePathSet>::read(*store, rconn);
         conn.from >> options.ignoreLiveness >> options.maxFreed;
+        options.censor = !trusted;
         // obsolete fields
         readInt(conn.from);
         readInt(conn.from);
diff --git a/src/libstore/gc.cc b/src/libstore/gc.cc
index b66f03731..91f2ba43f 100644
--- a/src/libstore/gc.cc
+++ b/src/libstore/gc.cc
@@ -614,12 +614,12 @@ void LocalStore::collectGarbage(const GCOptions & options, GCResults & results)
        permanent roots cannot increase now. */
     printInfo("finding garbage collector roots...");
     if (!options.ignoreLiveness)
-        findRootsNoTemp(roots, true);
+        findRootsNoTemp(roots, options.censor);
 
     /* Read the temporary roots created before we acquired the global
        GC root. Any new roots will be sent to our socket. */
     Roots tempRoots;
-    findTempRoots(tempRoots, true);
+    findTempRoots(tempRoots, options.censor);
     for (auto & root : tempRoots)
         _shared.lock()->tempRoots.insert(std::string(root.first.hashPart()));
 
diff --git a/src/libstore/include/nix/store/gc-store.hh b/src/libstore/include/nix/store/gc-store.hh
index cef6e8776..6b73ffc65 100644
--- a/src/libstore/include/nix/store/gc-store.hh
+++ b/src/libstore/include/nix/store/gc-store.hh
@@ -53,6 +53,12 @@ struct GCOptions
      * Stop after at least `maxFreed` bytes have been freed.
      */
     uint64_t maxFreed{std::numeric_limits<uint64_t>::max()};
+
+    /**
+     * Whether to hide potentially sensitive information about GC
+     * roots (such as PIDs).
+     */
+    bool censor = false;
 };