diff --git a/howto/puppet.md b/howto/puppet.md
index 1a8a7cb46307f109508b0edc58d8ef564f3541f5..3a3ec4e1b95b86187d12a0c66491af618f124969 100644
--- a/howto/puppet.md
+++ b/howto/puppet.md
@@ -149,6 +149,13 @@ on the puppet server. By assigning a node to the test environment via the
 small set) can be made to apply test puppet code. Once the feature branch is
 satisfying, it can be then simply merged to `main` and deleted.
 
+Because environments aren't totally isolated from each other and a compromised
+node could choose to apply an environment other than `production`, care should
+be taken with the code pushed to these feature branches. It's recommended to
+avoid overly broad debugging statements, if any, and to generally keep an
+active eye on feature branches so as to prevent the accumulation of unreviewed
+code.
+
 ### Modifying an existing configuration
 
 For new deployments, this is *NOT* the preferred method. For example,