diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index 7538b9ed..9e1737a2 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -11,6 +11,17 @@
 
 # Distributions and other programs can add rules in the usr/systemd.d directory
 
+# TODO: rework this to get a controlled environment: (cf security model)
+# - No global allow anymore: in high security environments, we must manage the list
+#   of program/service that can be started by systemd and ensure that they are all
+#   listed and confined. Programs not listed will not be able to start.
+# - Outside common systemd service, the list may have to be automatically
+#   generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec`
+# - Stop disabling nnp flags in systemd dropin files.
+# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo)
+#   need they own profile, profile name configured as a dropin unit file.
+# - When this is done: the fallback profile as root will not be needed.
+
 abi <abi/4.0>,
 
 include <tunables/global>
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index 71b9048a..32228f21 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -11,6 +11,8 @@
 
 # Distributions and other programs can add rules in the usr/systemd-user.d directory
 
+# TODO: rework this to get a controlled environment. cf comments in systemd profile.
+
 abi <abi/4.0>,
 
 include <tunables/global>