diff --git a/backend/app/core/admin_database.py b/backend/app/core/admin_database.py
index 1e84a132..26a5b7f7 100644
--- a/backend/app/core/admin_database.py
+++ b/backend/app/core/admin_database.py
@@ -2,8 +2,10 @@
 """
 Admin database engine — connects as resolutionflow_admin (BYPASSRLS).
 
-Use ONLY for /admin/* endpoints and internal tooling.
-Never use this engine from user-facing endpoints.
+Use ONLY where explicit application-level access control makes database-layer
+tenant filtering unnecessary: /admin/* endpoints, internal tooling, and public
+endpoints that enforce their own authorization before returning data (e.g.
+share access via opaque token + visibility check).
 """
 from collections.abc import AsyncGenerator