diff --git a/spec.bs b/spec.bs
index 61108b1e..37ef4d8c 100644
--- a/spec.bs
+++ b/spec.bs
@@ -410,6 +410,16 @@ A <dfn>fenced frame config mapping</dfn> has three submappings:
      configs=]
 </dl>
 
+Note: The purpose of pending configs is to enable config-generating APIs to resolve configs
+asynchronously in a way that doesn't create timing side channels, i.e., the pending config is
+returned to the web platform in a constant amount of time, before any computation whose duration
+depends on cross-site data. Because the privacy of this depends on the web platform not being able
+to discern when a pending config is finalized, it is important that all visibilities and values of
+transparent fields do not change from the pending config to the finalized config, given that they
+can be inspected through {{FencedFrameConfig}}'s getters. Therefore, a {{FencedFrameConfig}} that
+is created and exposed to the web platform is effectively immutable even if its underlying
+[=fencedframeconfig/config=] is technically "pending", and will finish resolving completely later.
+
 Each [=fenced frame config mapping=] has a <dfn for="fenced frame config mapping">maximum number of
 configs</dfn>, which is implementation-defined. The [=fenced frame config mapping/maximum number of
 configs=] may be a nonnegative number or infinity.