diff --git a/Security-Overview.md b/Security-Overview.md
index a74303b..4a15b34 100644
--- a/Security-Overview.md
+++ b/Security-Overview.md
@@ -42,12 +42,6 @@ If you're importing private links or authenticated content, you probably don't w
-> [!TIP]
-> Make sure you run Docker commands with `run` instead of `exec` or you'll get a warning! e.g.
-> ✅ `docker compose run archivebox manage create superuser`
-> *instead of:*
-> ❌ `docker compose exec archivebox manage create superuser`
-
Do not run ArchiveBox as root for a number of reasons:
- Chrome will execute as root and fail immediately because Chrome sandboxing is pointless when the data directory is opened as root (do not set `CHROME_SANDBOX=False` just to bypass that error!)
- All dependencies will be run as root, if any of them have a vulnerability that's exploited by sites you're archiving you're opening yourself up to full system compromise
@@ -63,6 +57,17 @@ chown -R archivebox:archivebox /home/archivebox
sudo -u archivebox archivebox add ...
```
+
+> [!WARNING]
+> **Did you try run a command in Docker with `exec` instead of `run` by accident?**
+> Make sure you use `docker run` instead of `docker exec` to run ArchiveBox commands.
+> `run` automatically takes care of dropping down to the `archivebox` user within Docker e.g.
+> ✅ `docker compose run archivebox manage createsuperuser`
+> ✅ `docker run -it -v $PWD:/data archivebox/archivebox manage createsuperuser`
+> *instead of:*
+> ❌ `docker compose exec archivebox manage createsuperuser`
+> ❌ `docker exec archivebox manage createsuperuser`
+
~~If you absolutely must run it as root for some reason, a footgun is provided: you can set [`ALLOW_ROOT=True`](https://github.com/ArchiveBox/ArchiveBox/wiki/Configuration#ALLOW_ROOT) via environment variable or in your ArchiveBox.conf file.~~ This footgun option was removed (I'm sorry, the support burden of helping people who messed up their systems by running everything as root was too high).
