diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 73aa79e90bcabb3b73eff19f6f868df71306ba4f..bf9593697365108641ba096f9a4626258b7e762e 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,7 +2,8 @@
 ### Untrusted_app_all.
 ###
 ### This file defines the rules shared by all untrusted app domains except
-### ephemeral apps.
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
 ### Apps are labeled based on mac_permissions.xml (maps signer and
 ### optionally package name to seinfo value) and seapp_contexts (maps UID
 ### and optionally seinfo value to domain for process and type for data
@@ -17,6 +18,8 @@
 ### or define and use a new seinfo value in both mac_permissions.xml and
 ### seapp_contexts.
 ###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
 
 # Legacy text relocations
 allow untrusted_app_all apk_data_file:file execmod;