diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf
index f8a3919..de20400 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf
@@ -5,12 +5,10 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## user-sysmaint-split hardens this further.
 /usr/bin/pkexec exactwhitelist
 /usr/bin/pkexec.security-misc-orig exactwhitelist
 
-## TODO: research
-## TODO: Should be handled in user-sysmaint-split?
-##
 ## Required for PolicyKit (Polkit) to function.
 ##
 ## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid#
@@ -24,4 +22,6 @@
 ## matches both:
 ## - /usr/lib/policykit-1/polkit-agent-helper-1
 ## - /lib/policykit-1/polkit-agent-helper-1
+##
+## user-sysmaint-split hardens this further.
 polkit-agent-helper-1 matchwhitelist
diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf
index 5ebdae3..bf76069 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf
@@ -5,5 +5,6 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## TODO: research and document
 postqueue matchwhitelist
 postdrop matchwhitelist
diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf
index fd74488..62d3198 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf
@@ -5,4 +5,5 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## TODO: research and document
 /utempter/utempter matchwhitelist
diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf
index df29fec..5b79059 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf
@@ -5,4 +5,5 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## TODO: research and document
 spice-client-glib-usb-acl-helper matchwhitelist
diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf
index ee68aba..e15b265 100644
--- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf
@@ -5,4 +5,5 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 
+## user-sysmaint-split hardens this further.
 /usr/bin/sudo exactwhitelist