diff --git a/doc/source/overview_encryption.rst b/doc/source/overview_encryption.rst
index cc429737eb..beab7ba11d 100644
--- a/doc/source/overview_encryption.rst
+++ b/doc/source/overview_encryption.rst
@@ -781,8 +781,9 @@ encrypted.
 
 Encryption has no impact on the `container-reconciler` service. The
 `container-reconciler` uses an internal client to move objects between
-different policy rings. The destination object has the same URL as the source
-object and the object is moved without re-encryption.
+different policy rings. The reconciler's pipeline *MUST NOT* have encryption
+enabled. The destination object has the same URL as the source object and the
+object is moved without re-encryption.
 
 
 Considerations for developers
diff --git a/etc/container-reconciler.conf-sample b/etc/container-reconciler.conf-sample
index ea8bc53a19..ee507a396b 100644
--- a/etc/container-reconciler.conf-sample
+++ b/etc/container-reconciler.conf-sample
@@ -58,6 +58,12 @@
 # ionice_priority =
 
 [pipeline:main]
+# Note that the reconciler's pipeline is intentionally very sparse -- it is
+# only responsible for moving data from one policy to another and should not
+# perform any transformations beyond (potentially) changing erasure coding.
+# It notably MUST NOT include transformative middlewares (such as encryption),
+# redirection middlewares (such as symlink), or composing middlewares (such
+# as slo and dlo).
 pipeline = catch_errors proxy-logging cache proxy-server
 
 [app:proxy-server]