diff --git a/cmd/config/internal/commands/e2e/e2e_test.go b/cmd/config/internal/commands/e2e/e2e_test.go
index 0f237590b..09a9030b4 100644
--- a/cmd/config/internal/commands/e2e/e2e_test.go
+++ b/cmd/config/internal/commands/e2e/e2e_test.go
@@ -199,6 +199,11 @@ metadata:
 		},
 
 		{
+			//
+			// NOTE: Do not change the expected value of this test.  It is to ensure that
+			// exec functions are off by default when run from the CLI.
+			// exec functions execute arbitrary code outside of a sandbox environment.
+			//
 			name: "exec_function_config_disabled",
 			args: func(d string) []string { return []string{} },
 			files: func(d string) map[string]string {
diff --git a/cmd/config/internal/commands/run-fns.go b/cmd/config/internal/commands/run-fns.go
index 83a3ca7aa..9337c8c96 100644
--- a/cmd/config/internal/commands/run-fns.go
+++ b/cmd/config/internal/commands/run-fns.go
@@ -41,8 +41,9 @@ func GetRunFnRunner(name string) *RunFnRunner {
 	r.Command.Flags().StringVar(
 		&r.Image, "image", "",
 		"run this image as a function instead of discovering them.")
+	// NOTE: exec plugins execute arbitrary code -- never change the default value of this flag!!!
 	r.Command.Flags().BoolVar(
-		&r.EnableExec, "enable-exec", false, "enable support for exec functions. (Alpha)")
+		&r.EnableExec, "enable-exec", false /*do not change!*/, "enable support for exec functions -- note: exec functions run arbitrary code -- do not use for untrusted configs!!! (Alpha)")
 	r.Command.Flags().StringVar(
 		&r.ExecPath, "exec-path", "", "run an executable as a function. (Alpha)")
 	r.Command.Flags().StringArrayVar(