diff --git a/docs/roles-and-permissions-architecture.md b/docs/roles-and-permissions-architecture.md
index acea99e..063de32 100644
--- a/docs/roles-and-permissions-architecture.md
+++ b/docs/roles-and-permissions-architecture.md
@@ -1059,6 +1059,8 @@ end
 
 **Pattern:** Bypass for READ (list queries), CustomFieldValueCreateScope for create (no filter), HasPermission for read/update/destroy. Create uses a dedicated check because Ash cannot apply filters to create actions.
 
+The bypass `action_type(:read)` is a production-side rule: reading own CFVs (where `member_id == actor.member_id`) is always allowed and overrides Permission-Sets; no further policies are needed for that. It applies to all read actions (get, list, load).
+
 ```elixir
 defmodule Mv.Membership.CustomFieldValue do
   use Ash.Resource, ...