diff --git a/changelogs/unreleased/8491-reasonerjt b/changelogs/unreleased/8491-reasonerjt
new file mode 100644
index 0000000000..29fd4acaf5
--- /dev/null
+++ b/changelogs/unreleased/8491-reasonerjt
@@ -0,0 +1 @@
+Add SecurityContext to restore-helper
\ No newline at end of file
diff --git a/pkg/restore/actions/pod_volume_restore_action.go b/pkg/restore/actions/pod_volume_restore_action.go
index 36722b0a29..3db8052b67 100644
--- a/pkg/restore/actions/pod_volume_restore_action.go
+++ b/pkg/restore/actions/pod_volume_restore_action.go
@@ -19,6 +19,7 @@ package actions
 import (
 	"context"
 	"fmt"
+	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -143,9 +144,15 @@ func (a *PodVolumeRestoreAction) Execute(input *velero.RestoreItemActionExecuteI
 
 	runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx := getSecurityContext(log, config)
 
-	securityContext, err := kube.ParseSecurityContext(runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx)
-	if err != nil {
-		log.Errorf("Using default securityContext values, couldn't parse securityContext requirements: %s.", err)
+	var securityContext corev1.SecurityContext
+	if runAsUser == "" && runAsGroup == "" && allowPrivilegeEscalation == "" && secCtx == "" {
+		securityContext = defaultSecurityCtx()
+	} else {
+		securityContext, err = kube.ParseSecurityContext(runAsUser, runAsGroup, allowPrivilegeEscalation, secCtx)
+		if err != nil {
+			log.Errorf("Using default securityContext values, couldn't parse securityContext requirements: %s.", err)
+			securityContext = defaultSecurityCtx()
+		}
 	}
 
 	initContainerBuilder := newRestoreInitContainerBuilder(image, string(input.Restore.UID))
@@ -282,3 +289,20 @@ func newRestoreInitContainerBuilder(image, restoreUID string) *builder.Container
 			},
 		}...)
 }
+
+// defaultSecurityCtx returns a default security context for the init container, which has the level "restricted" per
+// Pod Security Standards.
+func defaultSecurityCtx() corev1.SecurityContext {
+	uid := int64(1000)
+	return corev1.SecurityContext{
+		AllowPrivilegeEscalation: boolptr.False(),
+		Capabilities: &corev1.Capabilities{
+			Drop: []corev1.Capability{"ALL"},
+		},
+		SeccompProfile: &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		},
+		RunAsUser:    &uid,
+		RunAsNonRoot: boolptr.True(),
+	}
+}