diff --git a/scripts/install.sh b/scripts/install.sh
index a19edd5..d16e13b 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -168,9 +168,16 @@ About to install banger $TARGET_VERSION (requires sudo):
   /etc/systemd/system/bangerd.service       (background daemon)
   /etc/systemd/system/bangerd-root.service  (privileged helper)
 
-Why sudo: banger needs permission to automatically manage network
-access for the VMs you launch. The privileged work runs in a small
-helper service; the rest runs as you.
+banger needs your permission to:
+
+  • set up VM networking (bridges, NAT, DNS routing for <vm>.vm)
+  • manage VM storage (rootfs snapshots, loop devices, image files)
+  • launch and stop firecracker processes under jailer isolation
+  • install the binaries to /usr/local and the systemd units above
+
+Once installed, day-to-day commands like 'banger vm run' and
+'banger image pull' run as you. Only the narrow set of operations
+above goes through the privileged helper service.
 
 For details, see: $TRUST_DOC_URL