diff --git a/server/authz/policy.rego b/server/authz/policy.rego
index e1f5a99473..465bb5a355 100644
--- a/server/authz/policy.rego
+++ b/server/authz/policy.rego
@@ -312,8 +312,10 @@ allow {
   subject.global_role == maintainer
   action = run_new
 }
+
 # Team admin and maintainer running a non-observers_can_run query must have the targets
-# filtered to only teams that they maintain
+# filtered to only teams that they maintain. That check is not validated by this rego
+# file, it is a filter that is applied at the datastore level (in HostIDsInTargets).
 allow {
   object.type == "query"
   # If role is maintainer on any team
@@ -337,7 +339,8 @@ allow {
 	action = run
 }
 # Team observer running a observers_can_run query must have the targets
-# filtered to only teams that they observe
+# filtered to only teams that they observe. That check is not validated by this rego
+# file, it is a filter that is applied at the datastore level (in HostIDsInTargets).
 allow {
 	object.type == "query"
 	object.observer_can_run == true
@@ -454,4 +457,4 @@ allow {
   not is_null(subject)
   object.type == "software"
   action == read
-}
\ No newline at end of file
+}
diff --git a/server/service/campaigns_test.go b/server/service/campaigns_test.go
index d8467d1d17..91aa7b8ecb 100644
--- a/server/service/campaigns_test.go
+++ b/server/service/campaigns_test.go
@@ -128,7 +128,11 @@ func TestLiveQueryAuth(t *testing.T) {
 			false,
 			false,
 		},
-		// TODO(mna): I don't think this is properly validated by rego, see https://github.com/fleetdm/fleet/issues/3950
+		// NOTE: this specific case is not covered by the rego authorization policy,
+		// it is at the datastore level that a filter is applied to only consider
+		// hosts that the user can see (that is, a fleet.TeamFilter is passed to
+		// ds.HostIDsInTargets and that call applies the filter to return only
+		// allowed hosts).
 		/*
 			{
 				"team admin, target not set to own team",
@@ -147,7 +151,7 @@ func TestLiveQueryAuth(t *testing.T) {
 			false,
 			false,
 		},
-		// TODO(mna): I don't think this is properly validated by rego, see https://github.com/fleetdm/fleet/issues/3950
+		// NOTE: same as the note above.
 		/*
 			{
 				"team observer, target not set to own team",