63 files changed, 218 insertions, 248 deletions
diff --git a/etc/profile-a-l/archiver-common.profile b/etc/profile-a-l/archiver-common.profile
index 74b0b6ef6..0ab6465ca 100644
--- a/etc/profile-a-l/archiver-common.profile
+++ b/etc/profile-a-l/archiver-common.profile
@@ -6,24 +6,19 @@ include archiver-common.local
 blacklist ${RUNUSER}
-# WARNING: Users can (un)restrict file access for **all** archivers by
+# Comment/uncomment the relevant include file(s) in your archiver-common.local
-# commenting/uncommenting the needed include file(s) here or by putting those
+# to (un)restrict file access for **all** archivers. Another option is to do this **per archiver**
-# into archiver-common.local.
+# in the relevant <archiver>.local. Beware that things tend to break when overtightening
-#
+# profiles. For example, because you only need to (un)compress files in ${DOWNLOADS},
-# Another option is to do this **per archiver** in the relevant
+# other applications may need access to ${HOME}/.local/share.
-# <archiver>.local. Just beware that things tend to break when overtightening
-# profiles. For example, because you only need to (un)compress files in
+# Add the next line to your archiver-common.local if you don't need to compress files in disable-common.inc.
-# ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
-# Uncomment the next line (or put it into your archiver-common.local) if you
-# don't need to compress files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your archiver-common.local) if you
+# Add the next line to your archiver-common.local if you don't need to compress files in disable-programs.inc.
-# don't need to compress files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
diff --git a/etc/profile-a-l/aria2c.profile b/etc/profile-a-l/aria2c.profile
index d2dcaace1..bef708bdc 100644
--- a/etc/profile-a-l/aria2c.profile
+++ b/etc/profile-a-l/aria2c.profile
@@ -40,9 +40,9 @@ seccomp
 shell none
 # disable-mnt
-# Add your custom event hook commands to 'private-bin' in your aria2c.local
+# Add your custom event hook commands to 'private-bin' in your aria2c.local.
 private-bin aria2c,gzip
-# Uncomment the next line (or put 'private-cache' in your aria2c.local) if you don't use Lutris/winetricks (see issue #2772)
+# Add 'private-cache' to your aria2c.local if you don't use Lutris/winetricks (see issue #2772).
 #private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,groups,login.defs,machine-id,nsswitch.conf,passwd,pki,resolv.conf,ssl
diff --git a/etc/profile-a-l/bcompare.profile b/etc/profile-a-l/bcompare.profile
index 178e2dc9f..5c93f8be9 100644
--- a/etc/profile-a-l/bcompare.profile
+++ b/etc/profile-a-l/bcompare.profile
@@ -12,37 +12,25 @@ noblacklist ${HOME}/.config/bcompare
 # KDE's Gwenview to view images via right click -> Open With -> Associated Application
 noblacklist ${HOME}/.config/gwenviewrc
-# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-common.inc
+# Add the next line to your bcompare.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your bcompare.local) if you don't need to compare files in disable-programs.inc
+# Add the next line to your bcompare.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
-# Uncommenting this breaks launch
+#include disable-shell.inc - breaks launch
-# include disable-shell.inc
 include disable-write-mnt.inc
-# Don't disable ${DOCUMENTS}, ${MUSIC}, ${PICTURES}, ${VIDEOS}
-# include disable-xdg.inc
-# include whitelist-common.inc
-# include whitelist-runuser-common.inc
-# include whitelist-usr-share-common.inc
-# include whitelist-var-common.inc
 apparmor
 caps.drop all
-# Uncommenting might break Pulse Audio
-#machine-id
 net none
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-# Allow applications launched on sound files to play them
-#nosound
 notv
 nou2f
 novideo
@@ -53,9 +41,6 @@ tracelog
 private-cache
 private-dev
-# see /usr/share/doc/firejail/profile.template for more common private-etc paths.
-# private-etc alternatives,fonts,machine-id
-# Necessary because of the `include disable-exec.inc` line. Prevents error "Error fstat: fs.c:504 fs_remount_simple: Transport endpoint is not connected ... cannot sync with peer: unexpected EOF Peer [...] unexpectedly exited with status 1"
 private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/chromium-common.profile b/etc/profile-a-l/chromium-common.profile
index 3667c350d..e9bef8df7 100644
--- a/etc/profile-a-l/chromium-common.profile
+++ b/etc/profile-a-l/chromium-common.profile
@@ -30,12 +30,10 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# Uncomment the next line (or add it to your chromium-common.local)
+# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
-# if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
-# Uncomment or put in your chromium-common.local to allow screen sharing under
+# Add the next line to your chromium-common.local to allow screen sharing under wayland.
-# wayland.
 #whitelist ${RUNUSER}/pipewire-0
 apparmor
@@ -50,12 +48,10 @@ shell none
 disable-mnt
 private-cache
 ?BROWSER_DISABLE_U2F: private-dev
-# problems with multiple browser sessions
+#private-tmp - issues when using multiple browser sessions
-#private-tmp
-# prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector
+#dbus-user none - prevents access to passwords saved in GNOME Keyring and KWallet, also breaks Gnome connector.
-# dbus-user none
 dbus-system none
-# the file dialog needs to work without d-bus
+# The file dialog needs to work without d-bus.
 ?HAS_NODBUS: env NO_CHROME_KDE_FILE_DIALOG=1
diff --git a/etc/profile-a-l/claws-mail.profile b/etc/profile-a-l/claws-mail.profile
index b4a8303a2..691657fa0 100644
--- a/etc/profile-a-l/claws-mail.profile
+++ b/etc/profile-a-l/claws-mail.profile
@@ -11,7 +11,7 @@ noblacklist ${HOME}/.claws-mail
 mkdir ${HOME}/.claws-mail
 whitelist ${HOME}/.claws-mail
-# If you use python-based plugins you need to uncomment the below (or put them in your claws-mail.local)
+# Add the below lines to your claws-mail.local if you use python-based plugins.
 # Allow python (blacklisted by disable-interpreters.inc)
 #include allow-python2.inc
 #include allow-python3.inc
@@ -23,7 +23,7 @@ whitelist /usr/share/doc/claws-mail
 dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.gnome.keyring.SystemPrompter
-# if you use the notification plugin you need to uncomment the below (or put them in your claws-mail.local)
+# Add the next line to your claws-mail.local if you use the notification plugin.
 # dbus-user.talk org.freedesktop.Notifications
 # Redirect
diff --git a/etc/profile-a-l/clipgrab.profile b/etc/profile-a-l/clipgrab.profile
index dace5e83e..130d23522 100644
--- a/etc/profile-a-l/clipgrab.profile
+++ b/etc/profile-a-l/clipgrab.profile
@@ -42,6 +42,6 @@ private-cache
 private-dev
 private-tmp
-# Breaks tray icon, uncomment or add to clipgrab.local if you don't need it
+# 'dbus-user none' breaks tray menu - add 'dbus-user none' to your clipgrab.local if you don't need it.
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/curl.profile b/etc/profile-a-l/curl.profile
index f8b194044..9366edfa1 100644
--- a/etc/profile-a-l/curl.profile
+++ b/etc/profile-a-l/curl.profile
@@ -9,9 +9,9 @@ include globals.local
 # curl 7.74.0 introduces experimental support for HSTS cache
 # https://daniel.haxx.se/blog/2020/11/03/hsts-your-curl/
-# technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts
+# Technically this file can be anywhere but let's assume users have it in ${HOME}/.curl-hsts.
-# if your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
+# If your setup diverts, add 'blacklist /path/to/curl/hsts/file' to your disable-programs.local
-# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact
+# and 'noblacklist /path/to/curl/hsts/file' to curl.local to keep the sandbox logic intact.
 noblacklist ${HOME}/.curl-hsts
 noblacklist ${HOME}/.curlrc
@@ -22,7 +22,7 @@ include disable-common.inc
 include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your curl.local
+# Depending on workflow you can add 'include disable-xdg.inc' to your curl.local.
 #include disable-xdg.inc
 include whitelist-usr-share-common.inc
diff --git a/etc/profile-a-l/dig.profile b/etc/profile-a-l/dig.profile
index 80d97a31f..b99b31df8 100644
--- a/etc/profile-a-l/dig.profile
+++ b/etc/profile-a-l/dig.profile
@@ -21,7 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-#mkfile ${HOME}/.digrc -- see #903
+#mkfile ${HOME}/.digrc - see #903
 whitelist ${HOME}/.digrc
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
@@ -49,7 +49,7 @@ tracelog
 disable-mnt
 private-bin bash,dig,sh
 private-dev
-# Uncomment the next line (or put 'private-lib' in your dig.local) on non Debian/Ubuntu OS (see issue #3038)
+# Add the next line to your dig.local on non Debian/Ubuntu OS (see issue #3038).
 #private-lib
 private-tmp
diff --git a/etc/profile-a-l/dolphin-emu.profile b/etc/profile-a-l/dolphin-emu.profile
index fc920a065..49feec32e 100644
--- a/etc/profile-a-l/dolphin-emu.profile
+++ b/etc/profile-a-l/dolphin-emu.profile
@@ -6,7 +6,7 @@ include dolphin-emu.local
 # Persistent global definitions
 include globals.local
-# Note: you must whitelist your games folder in a dolphin-emu.local
+# Note: you must whitelist your games folder in your dolphin-emu.local.
 noblacklist ${HOME}/.cache/dolphin-emu
 noblacklist ${HOME}/.config/dolphin-emu
@@ -36,10 +36,10 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 ipc-namespace
-# uncomment the following line if you do not need NetPlay support
+# Add the next line to your dolphin-emu.local if you do not need NetPlay support.
 # net none
 netfilter
-# uncomment the following line if you do not need disc support
+# Add the next line to your dolphin-emu.local if you do not need disc support.
 #nodvd
 nogroups
 nonewprivs
@@ -54,7 +54,7 @@ tracelog
 private-bin bash,dolphin-emu,dolphin-emu-x11,sh
 private-cache
-# uncomment the following line if you do not need controller support
+# Add the next line to your dolphin-emu.local if you do not need controller support.
 #private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,kde4rc,kde5rc,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,Trolltech.conf,X11,xdg
 private-opt none
diff --git a/etc/profile-a-l/electron.profile b/etc/profile-a-l/electron.profile
index 79b449ab1..8785a192c 100644
--- a/etc/profile-a-l/electron.profile
+++ b/etc/profile-a-l/electron.profile
@@ -18,8 +18,7 @@ include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# Uncomment the next line (or add it to your chromium-common.local)
+# Add the next line to your chromium-common.local if your kernel allows unprivileged userns clone.
-# if your kernel allows unprivileged userns clone.
 #include chromium-common-hardened.inc.profile
 apparmor
diff --git a/etc/profile-a-l/emacs.profile b/etc/profile-a-l/emacs.profile
index 226237b5b..55bf743ef 100644
--- a/etc/profile-a-l/emacs.profile
+++ b/etc/profile-a-l/emacs.profile
@@ -8,8 +8,7 @@ include globals.local
 noblacklist ${HOME}/.emacs
 noblacklist ${HOME}/.emacs.d
-# if you need gpg uncomment the following line
+# Add the next line to your emacs.local if you need gpg support.
-# or put it into your emacs.local
 #noblacklist ${HOME}/.gnupg
 # Allows files commonly used by IDEs
diff --git a/etc/profile-a-l/evince.profile b/etc/profile-a-l/evince.profile
index 25d5196fc..eeccb81be 100644
--- a/etc/profile-a-l/evince.profile
+++ b/etc/profile-a-l/evince.profile
@@ -6,8 +6,8 @@ include evince.local
 # Persistent global definitions
 include globals.local
-# Uncomment this line and the bottom ones to use bookmarks
+# WARNING: using bookmarks possibly exposes information, including file history from other programs.
-# NOTE: This possibly exposes information, including file history from other programs.
+# Add the next line to your evince.local if you need bookmarks support. This also needs additional dbus-user filtering (see below).
 #noblacklist ${HOME}/.local/share/gvfs-metadata
 noblacklist ${HOME}/.config/evince
@@ -57,9 +57,9 @@ private-etc alternatives,fonts,group,ld.so.cache,machine-id,passwd
 private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
 private-tmp
-# might break two-page-view on some systems
+# dbus-user filtering might break two-page-view on some systems
 dbus-user filter
-# Also uncomment these two lines if you want to use bookmarks
+# Add the next two lines to your evince.local if you need bookmarks support.
 #dbus-user.talk org.gtk.vfs.Daemon
 #dbus-user.talk org.gtk.vfs.Metadata
 dbus-system none
diff --git a/etc/profile-a-l/exiftool.profile b/etc/profile-a-l/exiftool.profile
index 30135d4bc..b6741d701 100644
--- a/etc/profile-a-l/exiftool.profile
+++ b/etc/profile-a-l/exiftool.profile
@@ -42,8 +42,9 @@ shell none
 tracelog
 x11 none
-# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool to /usr/bin/exiftool and uncomment the below.
+# To support exiftool in private-bin on Arch Linux (and derivatives), symlink /usr/bin/vendor_perl/exiftool
-# Users on non-Arch Linux distributions can safely uncomment (or put in exiftool.local) the line below to enable extra hardening.
+# to /usr/bin/exiftool and add the below to your exiftool.local.
+# Non-Arch Linux users can safely add the below to their exiftool.local for extra hardening.
 #private-bin exiftool,perl
 private-cache
 private-dev
diff --git a/etc/profile-a-l/feh.profile b/etc/profile-a-l/feh.profile
index 4d6a0c33a..68ce0da61 100644
--- a/etc/profile-a-l/feh.profile
+++ b/etc/profile-a-l/feh.profile
@@ -15,10 +15,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-# This profile disables network access
+# Add the next line to your feh.local to enable network access.
-# In order to enable network access,
+#include feh-network.inc.profile
-# uncomment the following or put it in your feh.local:
-# include feh-network.inc.profile
 caps.drop all
 net none
diff --git a/etc/profile-a-l/firefox-common.profile b/etc/profile-a-l/firefox-common.profile
index a955722c8..b0ead7590 100644
--- a/etc/profile-a-l/firefox-common.profile
+++ b/etc/profile-a-l/firefox-common.profile
@@ -9,7 +9,7 @@ include firefox-common.local
 # noexec ${HOME} breaks DRM binaries.
 ?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
-# Uncomment the following line (or put it in your firefox-common.local) to allow access to common programs/addons/plugins.
+# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
 #include firefox-common-addons.profile
 noblacklist ${HOME}/.pki
@@ -32,7 +32,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# machine-id breaks pulse audio; it should work fine in setups where sound is not required.
+# machine-id breaks pulse audio; add it to your firefox-common.local if sound is not required.
 #machine-id
 netfilter
 nodvd
@@ -52,10 +52,11 @@ shell none
 disable-mnt
 ?BROWSER_DISABLE_U2F: private-dev
 # private-etc below works fine on most distributions. There are some problems on CentOS.
+# Add it to your firefox-common.local if you want to enable it.
 #private-etc alternatives,asound.conf,ca-certificates,crypto-policies,dconf,fonts,group,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,localtime,machine-id,mailcap,mime.types,nsswitch.conf,pango,passwd,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
-# breaks various desktop integration features
+# 'dbus-user none' breaks various desktop integration features like global menus, native notifications,
-# among other things global menus, native notifications, Gnome connector, KDE connect and power management on KDE Plasma
+# Gnome connector, KDE connect and power management on KDE Plasma.
 dbus-user none
 dbus-system none
diff --git a/etc/profile-a-l/firefox.profile b/etc/profile-a-l/firefox.profile
index 68dd350ca..cefba93d4 100644
--- a/etc/profile-a-l/firefox.profile
+++ b/etc/profile-a-l/firefox.profile
@@ -14,8 +14,8 @@ mkdir ${HOME}/.mozilla
 whitelist ${HOME}/.cache/mozilla/firefox
 whitelist ${HOME}/.mozilla
-# Uncomment or put in your firefox.local one of the following whitelist to enable KeePassXC Plugin
+# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
-# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them
+# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
 #whitelist ${RUNUSER}/kpxc_server
 #whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer
@@ -27,31 +27,30 @@ whitelist /usr/share/mozilla
 whitelist /usr/share/webext
 include whitelist-usr-share-common.inc
-# firefox requires a shell to launch on Arch.
+# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
-# Fedora use shell scripts to launch firefox, at least this is required
+# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
 #private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
-# private-etc must first be enabled in firefox-common.profile
+# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too.
 #private-etc firefox
 dbus-user filter
 dbus-user.own org.mozilla.Firefox.*
 dbus-user.own org.mozilla.firefox.*
 dbus-user.own org.mpris.MediaPlayer2.firefox.*
-# Uncomment or put in your firefox.local to enable native notifications.
+# Add the next line to your firefox.local to enable native notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Uncomment or put in your firefox.local to allow to inhibit screensavers
+# Add the next line to your firefox.local to allow inhibiting screensavers.
 #dbus-user.talk org.freedesktop.ScreenSaver
-# Uncomment or put in your firefox.local for plasma browser integration
+# Add the next lines to your firefox.local for plasma browser integration.
 #dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
 #dbus-user.talk org.kde.JobViewServer
 #dbus-user.talk org.kde.kuiserver
-# Uncomment or put in your firefox.local to allow screen sharing under wayland.
+# Add the next two lines to your firefox.local to allow screen sharing under wayland.
 #whitelist ${RUNUSER}/pipewire-0
 #dbus-user.talk org.freedesktop.portal.*
-# Also uncomment or put in your firefox.local if screen sharing sharing still
+# Add the next line to your firefox.local if screen sharing sharing still does not work
-# does not work with the above lines (might depend on the portal
+# with the above lines (might depend on the portal implementation).
-# implementation)
 #ignore noroot
 ignore dbus-user none
diff --git a/etc/profile-a-l/gajim.profile b/etc/profile-a-l/gajim.profile
index 125ddf79c..e2da1747e 100644
--- a/etc/profile-a-l/gajim.profile
+++ b/etc/profile-a-l/gajim.profile
@@ -21,7 +21,7 @@ include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
-# Comment the following line if you need to whitelist folders other than ~/Downloads
+# Add 'ignore include disable-xdg.inc' to your gajim.local if you need to whitelist folders other than ~/Downloads.
 include disable-xdg.inc
 mkdir ${HOME}/.gnupg
@@ -73,7 +73,7 @@ dbus-user.talk org.kde.kwalletd5
 dbus-user.talk org.mpris.MediaPlayer2.*
 dbus-system filter
 dbus-system.talk org.freedesktop.login1
-# Uncomment for location plugin support
+# Add the next line to your gajim.local to enable location plugin support.
 #dbus-system.talk org.freedesktop.GeoClue2
 join-or-start gajim
diff --git a/etc/profile-a-l/gapplication.profile b/etc/profile-a-l/gapplication.profile
index e339f6abb..5e1b024fe 100644
--- a/etc/profile-a-l/gapplication.profile
+++ b/etc/profile-a-l/gapplication.profile
@@ -51,8 +51,8 @@ private-dev
 private-etc none
 private-tmp
-# Uncomment (or add to your gapplcation.local) the next line to filter D-Bus names.
+# Add the next line to your gapplication.local to filter D-Bus names.
-# You might need to add additional dbus-user.talk rules. see 'gapplication list-apps'.
+# You might need to add additional dbus-user.talk rules (see 'gapplication list-apps').
 #dbus-user filter
 dbus-user.talk org.gnome.Boxes
 dbus-user.talk org.gnome.Builder
diff --git a/etc/profile-a-l/gedit.profile b/etc/profile-a-l/gedit.profile
index 30251fbe5..d61bea6c4 100644
--- a/etc/profile-a-l/gedit.profile
+++ b/etc/profile-a-l/gedit.profile
@@ -43,7 +43,7 @@ tracelog
 # private-bin gedit
 private-dev
-# private-lib breaks python plugins, uncomment or add to your gedit.local if you don't use them.
+# private-lib breaks python plugins - add the next line to your gedit.local if you don't use them.
 #private-lib aspell,gconv,gedit,libgspell-1.so.*,libgtksourceview-*,libpeas-gtk-1.0.so.*,libreadline.so.*,libtinfo.so.*
 private-tmp
diff --git a/etc/profile-a-l/gimp.profile b/etc/profile-a-l/gimp.profile
index bc5ef966c..e26fadca2 100644
--- a/etc/profile-a-l/gimp.profile
+++ b/etc/profile-a-l/gimp.profile
@@ -6,7 +6,7 @@ include gimp.local
 # Persistent global definitions
 include globals.local
-# Uncomment or add to gimp.local in order to support scanning via xsane (see #3640).
+# Add the next lines to your gimp.local in order to support scanning via xsane (see #3640).
 # TODO: Replace 'ignore seccomp' with a less permissive option.
 #ignore seccomp
 #ignore dbus-system
@@ -15,8 +15,7 @@ include globals.local
 # gimp plugins are installed by the user in ${HOME}/.gimp-2.8/plug-ins/ directory
-# if you are not using external plugins, you can comment 'ignore noexec' statement below
+# If you are not using external plugins, you can add 'noexec ${HOME}' to your gimp.local.
-# or put 'noexec ${HOME}' in your gimp.local
 ignore noexec ${HOME}
 noblacklist ${HOME}/.cache/babl
diff --git a/etc/profile-a-l/git-cola.profile b/etc/profile-a-l/git-cola.profile
index 312655b9b..7894e4d8d 100644
--- a/etc/profile-a-l/git-cola.profile
+++ b/etc/profile-a-l/git-cola.profile
@@ -14,8 +14,8 @@ noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.subversion
 noblacklist ${HOME}/.config/git
 noblacklist ${HOME}/.config/git-cola
-# Put your editor,diff viewer config path below and uncomment to load settings
+# Add your editor/diff viewer config paths and the next line to your git-cola.local to load settings.
-# noblacklist ${HOME}/
+#noblacklist ${HOME}/
 # Allow python (blacklisted by disable-interpreters.inc)
 include allow-python2.inc
@@ -34,7 +34,7 @@ include disable-xdg.inc
 whitelist ${RUNUSER}/gnupg
 whitelist ${RUNUSER}/keyring
-# Whitelist your editor, diff viewer, gnupg path below in /usr/share/
+# Add additional whitelist paths below /usr/share to your git-cola.local to support your editor/diff viewer.
 whitelist /usr/share/git
 whitelist /usr/share/git-cola
 whitelist /usr/share/git-core
@@ -65,8 +65,8 @@ seccomp
 shell none
 tracelog
-# Add your own diff viewer,editor,pinentry program
+# Add your own diff viewer,editor,pinentry program to private-bin in your git-cola.local.
-# pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
+#private-bin pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for gpg
 private-bin basename,bash,cola,envsubst,gettext,git,git-cola,git-dag,git-gui,gitk,gpg,gpg-agent,nano,ps,python*,sh,ssh,ssh-agent,tclsh,tr,wc,which,xed
 private-cache
 private-dev
@@ -74,13 +74,14 @@ private-etc alternatives,ca-certificates,crypto-policies,dconf,fonts,gcrypt,gitc
 private-tmp
 writable-run-user
-# Breaks meld as diff viewer
+# dbus-user filtering breaks meld as diff viewer
-# dbus-user filter
+# Add the next line to your git-cola.local if you don't use meld.
-# Uncomment if you need keyring access
+#dbus-user filter
-# dbus-user.talk org.freedesktop.secrets
+# Add the next line to your git-cola.local if you need keyring access
+#dbus-user.talk org.freedesktop.secrets
 dbus-system none
 read-only ${HOME}/.git-credentials
-# Comment if you need to allow hosts
+# Add 'ignore read-only ${HOME}/.ssh' to your git-cola.local if you need to allow hosts.
 read-only ${HOME}/.ssh
diff --git a/etc/profile-a-l/gitg.profile b/etc/profile-a-l/gitg.profile
index 93b90eb9e..7b6820a81 100644
--- a/etc/profile-a-l/gitg.profile
+++ b/etc/profile-a-l/gitg.profile
@@ -59,6 +59,6 @@ private-tmp
 dbus-user filter
 dbus-user.own org.gnome.gitg
 dbus-user.talk ca.desrt.dconf
-# Uncomment (or put in your gitg.local) if you need keyring access.
+# Add the next line to your gitg.local if you need keyring access.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-a-l/gnome-characters.profile b/etc/profile-a-l/gnome-characters.profile
index 4d53a67dd..048fad65c 100644
--- a/etc/profile-a-l/gnome-characters.profile
+++ b/etc/profile-a-l/gnome-characters.profile
@@ -44,8 +44,7 @@ shell none
 tracelog
 disable-mnt
-# Uncomment the next line (or add it to your gnome-characters.local)
+# Add the next line to your gnome-characters.local if you don't need access to recently used chars.
-# if you don't need recently used chars
 #private
 private-bin gjs,gnome-characters
 private-cache
@@ -53,8 +52,7 @@ private-dev
 private-etc alternatives,dconf,fonts,gconf,gtk-2.0,gtk-3.0,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,mime.types,pango,X11,xdg
 private-tmp
-# Uncomment the next lines (or add it to your gnome-characters.local)
+# Add the next lines to your gnome-characters.local if you don't need access to recently used chars.
-# if you don't need recently used chars
 # dbus-user none
 # dbus-system none
diff --git a/etc/profile-a-l/google-earth-pro.profile b/etc/profile-a-l/google-earth-pro.profile
index 1240dc3b7..249ae187d 100644
--- a/etc/profile-a-l/google-earth-pro.profile
+++ b/etc/profile-a-l/google-earth-pro.profile
@@ -22,8 +22,7 @@ include google-earth-pro.local
 #[[ -e "$_lock_icon_cache" ]] && rm -f "${_lock_icon_cache:?}"
 # <--- end of snippet --->
-# If you see errors about missing commands, uncomment the below or put 'ignore private-bin' into your google-earth-pro.local
+# If you see errors about missing commands, add 'ignore private-bin' to your google-earth-pro.local.
-#ignore private-bin
 private-bin google-earth-pro,googleearth,googleearth-bin,gpsbabel,readlink,repair_tool,rm,which,xdg-mime,xdg-settings
 # Redirect
diff --git a/etc/profile-a-l/hasher-common.profile b/etc/profile-a-l/hasher-common.profile
index 2f684349d..1633cc3ee 100644
--- a/etc/profile-a-l/hasher-common.profile
+++ b/etc/profile-a-l/hasher-common.profile
@@ -6,24 +6,23 @@ include hasher-common.local
 blacklist ${RUNUSER}
-# WARNING:
+# Comment/uncomment the relevant include file(s) in your hasher-common.local
-# Users can (un)restrict file access for **all** hashers by commenting/uncommenting the needed
+# to (un)restrict file access for **all** hashers. Another option is to do this **per hasher**
-# include file(s) here or by putting those into hasher-common.local.
+# in the relevant <hasher>.local. Beware that things tend to break when overtightening
-# Another option is to do this **per hasher** in the relevant <hasher>.local.
+# profiles. For example, because you only need to hash/check files in ${DOWNLOADS},
-# Just beware that things tend to break when overtightening profiles. For example, because you only
+# other applications may need access to ${HOME}/.local/share.
-# need to hash/check files in ${DOWNLOADS}, other applications may need access to ${HOME}/.local/share.
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-common.inc.
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-programs.inc.
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
 include disable-write-mnt.inc
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in disable-xdg.inc.
+# Add the next line to your hasher-common.local if you don't need to hash files in disable-xdg.inc.
 #include disable-xdg.inc
 apparmor
@@ -47,10 +46,10 @@ shell none
 tracelog
 x11 none
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+# Add the next line to your hasher-common.local if you don't need to hash files in ~/.cache.
 #private-cache
 private-dev
-# Uncomment the next line (or put it into your hasher-common.local) if you don't need to hash files in /tmp.
+# Add the next line to your hasher-common.local if you don't need to hash files in /tmp.
 #private-tmp
 dbus-user none
diff --git a/etc/profile-a-l/i2prouter.profile b/etc/profile-a-l/i2prouter.profile
index 9ffdb9e9b..d95d53b7a 100644
--- a/etc/profile-a-l/i2prouter.profile
+++ b/etc/profile-a-l/i2prouter.profile
@@ -9,16 +9,16 @@ include globals.local
 # Notice: default browser will most likely not be able to automatically open, due to sandbox.
 # Auto-opening default browser can be disabled in the I2P router console.
 # This profile will not currently work with any Arch User Repository I2P packages,
-# use the distro-independent official I2P java installer instead
+# use the distro-independent official I2P java installer instead.
-# Only needed if i2prouter binary is in home directory, official I2P java installer does this
+# Only needed when i2prouter binary resides in home directory (official I2P java installer does so).
 ignore noexec ${HOME}
 noblacklist ${HOME}/.config/i2p
 noblacklist ${HOME}/.i2p
 noblacklist ${HOME}/.local/share/i2p
 noblacklist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
+# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
 noblacklist /usr/sbin
 # Allow java (blacklisted by disable-devel.inc)
@@ -40,13 +40,14 @@ whitelist ${HOME}/.config/i2p
 whitelist ${HOME}/.i2p
 whitelist ${HOME}/.local/share/i2p
 whitelist ${HOME}/i2p
-# Only needed if wrapper is placed in /usr/sbin/, ubuntu official I2P ppa package does this
+# Only needed when wrapper resides in /usr/sbin/ (Ubuntu official I2P PPA package does so).
 whitelist /usr/sbin/wrapper*
 include whitelist-common.inc
-# May break I2P if wrapper is placed in the home directory; official I2P java installer does this
+# May break I2P if wrapper resides in the home directory (official I2P java installer does so).
-# If using ubuntu official I2P ppa, this should be fine to uncomment, as it puts wrapper in /usr/sbin/
+# When using the Ubuntu official I2P PPA it should be fine to add 'apparmor' to your i2prouter.local,
+# as it places the wrapper in /usr/sbin/
 #apparmor
 caps.drop all
 ipc-namespace
diff --git a/etc/profile-a-l/kdiff3.profile b/etc/profile-a-l/kdiff3.profile
index 5786a4687..eb1e219ab 100644
--- a/etc/profile-a-l/kdiff3.profile
+++ b/etc/profile-a-l/kdiff3.profile
@@ -9,8 +9,8 @@ include globals.local
 noblacklist ${HOME}/.config/kdiff3fileitemactionrc
 noblacklist ${HOME}/.config/kdiff3rc
-# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-common.inc.
+# Add the next line to your kdiff3.local if you don't need to compare files in disable-common.inc.
-# by default we deny access only to .ssh and .gnupg
+# By default we deny access only to .ssh and .gnupg.
 #include disable-common.inc
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.gnupg
@@ -19,15 +19,15 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in disable-programs.inc.
+# Add the next line to your kdiff3.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
 include whitelist-runuser-common.inc
-# Uncomment the next lines (or put it into your kdiff3.local) if you don't need to compare files in /usr/share.
+# Add the next line to your kdiff3.local if you don't need to compare files in /usr/share.
 #include whitelist-usr-share-common.inc
-# Uncomment the next line (or put it into your kdiff3.local) if you don't need to compare files in /var.
+# Add the next line to your kdiff3.local if you don't need to compare files in /var.
 #include whitelist-var-common.inc
 apparmor
diff --git a/etc/profile-a-l/keepassxc.profile b/etc/profile-a-l/keepassxc.profile
index 3ad779a12..11c279911 100644
--- a/etc/profile-a-l/keepassxc.profile
+++ b/etc/profile-a-l/keepassxc.profile
@@ -30,11 +30,11 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-# You can enable whitelisting for keepassxc by uncommenting (or adding to you keepassxc.local) the following lines.
+# You can enable whitelisting for keepassxc by adding the below to your keepassxc.local.
-# If you do so, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx
+# If you do, you MUST store your database under ${HOME}/Documents/KeePassXC/foo.kdbx.
 #mkdir ${HOME}/Documents/KeePassXC
 #whitelist ${HOME}/Documents/KeePassXC
-# Needed for KeePassXC-Browser
+# Needed for KeePassXC-Browser.
 #mkfile ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #whitelist ${HOME}/.config/BraveSoftware/Brave-Browser/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
 #mkfile ${HOME}/.config/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json
@@ -89,12 +89,12 @@ dbus-user.talk org.freedesktop.login1.Session
 dbus-user.talk org.gnome.ScreenSaver
 dbus-user.talk org.gnome.SessionManager
 dbus-user.talk org.gnome.SessionManager.Presence
-# Uncomment or add to your keepassxc.local to allow Notifications.
+# Add the next line to your keepassxc.local to allow notifications.
 #dbus-user.talk org.freedesktop.Notifications
-# Uncomment or add to your keepassxc.local to allow Tray.
+# Add the next line to your keepassxc.local to allow the tray menu.
 #dbus-user.talk org.kde.StatusNotifierWatcher
 #dbus-user.own org.kde.*
 dbus-system none
-# Mutex is stored in /tmp by default, which is broken by private-tmp
+# Mutex is stored in /tmp by default, which is broken by private-tmp.
 join-or-start keepassxc
diff --git a/etc/profile-a-l/librewolf.profile b/etc/profile-a-l/librewolf.profile
index 5208cb979..8e891a930 100644
--- a/etc/profile-a-l/librewolf.profile
+++ b/etc/profile-a-l/librewolf.profile
@@ -14,14 +14,15 @@ mkdir ${HOME}/.librewolf
 whitelist ${HOME}/.cache/librewolf
 whitelist ${HOME}/.librewolf
-# Uncomment (or add to librewolf.local) the following lines if you want to
+# Add the next lines to your librewolf.local if you want to use the migration wizard.
-# use the migration wizard.
 #noblacklist ${HOME}/.mozilla
 #whitelist ${HOME}/.mozilla
 # librewolf requires a shell to launch on Arch. We can possibly remove sh though.
+# Add the next line to your librewolf.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,librewolf,python*,sh,which
-# private-etc must first be enabled in firefox-common.profile
+# Add the next line to your librewolf.local to enable private-etc. Note
+# that private-etc must first be enabled in firefox-common.local.
 #private-etc librewolf
 # Redirect
diff --git a/etc/profile-a-l/liferea.profile b/etc/profile-a-l/liferea.profile
index a122e9bbc..1b10f0934 100644
--- a/etc/profile-a-l/liferea.profile
+++ b/etc/profile-a-l/liferea.profile
@@ -55,8 +55,8 @@ private-tmp
 dbus-user filter
 dbus-user.own net.sourceforge.liferea
 dbus-user.talk ca.desrt.dconf
-# Uncomment the below if you use the 'Popup Notifications' plugin or add 'dbus-user.talk org.freedesktop.Notifications' to your liferea.local
+# Add the next line to your liferea.local if you use the 'Popup Notifications' plugin.
 #dbus-user.talk org.freedesktop.Notifications
-# Uncomment the below if you use the 'Libsecret Support' plugin or add 'dbus-user.talk org.freedesktop.secrets' to your liferea.local
+# Add the next line to your liferea.local if you use the 'Libsecret Support' plugin.
 #dbus-user.talk org.freedesktop.secrets
 dbus-system none
diff --git a/etc/profile-a-l/links.profile b/etc/profile-a-l/links.profile
index ccc77f274..272bc4f3a 100644
--- a/etc/profile-a-l/links.profile
+++ b/etc/profile-a-l/links.profile
@@ -17,8 +17,8 @@ include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# you may want to noblacklist files/directories blacklisted in
+# Additional noblacklist files/directories (blacklisted in disable-programs.inc)
-# disable-programs.inc and used as associated programs
+# used as associated programs can be added in your links.local.
 include disable-programs.inc
 include disable-xdg.inc
@@ -30,19 +30,19 @@ include whitelist-var-common.inc
 caps.drop all
 ipc-namespace
-# comment machine-id (or put 'ignore machine-id' in your links.local) if you want
+# Add 'ignore machine-id' to your links.local if you want to restrict access to
-# to allow access only to user-configured associated media player
+# the user-configured associated media player.
 machine-id
 netfilter
-# comment no3d (or put 'ignore no3d' in your links.local) if you want
+# Add 'ignore no3d' to your links.local if you want to restrict access to
-# to allow access only to user-configured associated media player
+# the user-configured associated media player.
 no3d
 nodvd
 nogroups
 nonewprivs
 noroot
-# comment nosound (or put 'ignore nosound' in your links.local) if you want
+# Add 'ignore nosound' to your links.local if you want to restrict access to
-# to allow access only to user-configured associated media player
+# the user-configured associated media player.
 nosound
 notv
 nou2f
@@ -53,14 +53,12 @@ shell none
 tracelog
 disable-mnt
-# if you want to use user-configured programs add 'private-bin PROGRAM1,PROGRAM2' to your links.local
+# Add  'private-bin PROGRAM1,PROGRAM2' to your links.local  if you want to use user-configured programs.
-# or append 'PROGRAM1,PROGRAM2' to this private-bin line
 private-bin links,sh
 private-cache
 private-dev
 private-etc alternatives,ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
-# Uncomment the following line (or put it in your links.local) allow external
+# Add the next line to your links.local to allow external media players.
-# media players
 # private-etc alsa,asound.conf,machine-id,openal,pulse
 private-tmp
diff --git a/etc/profile-a-l/lutris.profile b/etc/profile-a-l/lutris.profile
index 5d05631ec..d750e5fcd 100644
--- a/etc/profile-a-l/lutris.profile
+++ b/etc/profile-a-l/lutris.profile
@@ -66,8 +66,8 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
-# uncomment the following line if you do not need controller support
+# Add the next line to your lutris.local if you do not need controller support.
-# private-dev
+#private-dev
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/PCSX2.profile b/etc/profile-m-z/PCSX2.profile
index b2687ba3c..e678b7204 100644
--- a/etc/profile-m-z/PCSX2.profile
+++ b/etc/profile-m-z/PCSX2.profile
@@ -6,7 +6,7 @@ include PCSX2.local
 # Persistent global definitions
 include globals.local
-# Note: you must whitelist your games folder in a PCSX2.local
+# Note: you must whitelist your games folder in your PCSX2.local.
 noblacklist ${HOME}/.config/PCSX2
@@ -32,7 +32,7 @@ caps.drop all
 ipc-namespace
 net none
 netfilter
-# Uncomment the following line if not loading games from disc
+# Add the next line to your PCSX2.local if you're not loading games from disc.
 #nodvd
 nogroups
 nonewprivs
@@ -47,7 +47,7 @@ shell none
 private-bin PCSX2
 private-cache
-# uncomment the following line if you do not need controller support
+# Add the next line to your PCSX2.local if you do not need controller support.
 #private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-opt none
diff --git a/etc/profile-m-z/marker.profile b/etc/profile-m-z/marker.profile
index 70e5c72cf..84039aca3 100644
--- a/etc/profile-m-z/marker.profile
+++ b/etc/profile-m-z/marker.profile
@@ -6,7 +6,7 @@ include marker.local
 # Persistent global definitions
 include globals.local
-# Uncomment (or add to your marker.local) if you need internet access.
+# Add the next lines to your marker.local if you need internet access.
 #ignore net none
 #protocol unix,inet,inet6
 #private-etc ca-certificates,ssl,pki,crypto-policies,nsswitch.conf,resolv.conf
diff --git a/etc/profile-m-z/meld.profile b/etc/profile-m-z/meld.profile
index d76522fce..900523b81 100644
--- a/etc/profile-m-z/meld.profile
+++ b/etc/profile-m-z/meld.profile
@@ -7,11 +7,11 @@ include meld.local
 include globals.local
 # If you want to use meld as git mergetool (and maybe some other VCS integrations) you need
-# to bypass firejail, you can do this by removing the symlink or calling it by its absolute path
+# to bypass firejail. You can do this by removing the symlink or by calling it by its absolute path.
 # Removing the symlink:
-#  sudo rm /usr/local/bin/meld
+# $ sudo rm /usr/local/bin/meld
 # Calling it by its absolute path (example for git mergetool):
-#  git config --global mergetool.meld.cmd /usr/bin/meld
+# $ git config --global mergetool.meld.cmd /usr/bin/meld
 noblacklist ${HOME}/.config/meld
 noblacklist ${HOME}/.config/git
@@ -21,30 +21,31 @@ noblacklist ${HOME}/.local/share/meld
 noblacklist ${HOME}/.subversion
 # Allow python (blacklisted by disable-interpreters.inc)
-# Python 2 is EOL (see #3164). Uncomment the next line (or put it into your meld.local) if you understand the risks but want python 2 support for older meld versions.
+# Python 2 is EOL (see #3164). Add the next line to your meld.local if you understand the risks
+# but want to keep Python 2 support for older meld versions.
 #include allow-python2.inc
 include allow-python3.inc
 # Allow ssh (blacklisted by disable-common.inc)
 include allow-ssh.inc
-# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-common.inc.
+# Add the next line to your meld.local if you don't need to compare files in disable-common.inc.
 #include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
 include disable-interpreters.inc
 include disable-passwdmgr.inc
-# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
+# Add the next line to your meld.local if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 include disable-shell.inc
 include whitelist-runuser-common.inc
-# Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
+# Add the next lines to your meld.local if you don't need to compare files in /usr/share.
 #whitelist /usr/share/meld
 #include whitelist-usr-share-common.inc
-# Uncomment the next line (or put it into your meld.local) if you don't need to compare files in /var.
+# Add the next line to your meld.local if you don't need to compare files in /var.
 #include whitelist-var-common.inc
 apparmor
@@ -70,9 +71,9 @@ tracelog
 private-bin bzr,cvs,git,hg,meld,python*,svn
 private-cache
 private-dev
-# Uncomment the next line (or put it into your meld.local) if you don't need to compare in /etc.
+# Add the next line to your meld.local if you don't need to compare files in /etc.
 #private-etc alternatives,ca-certificates,crypto-policies,fonts,hostname,hosts,pki,resolv.conf,ssl,subversion
-# Comment the next line (or add 'ignore private-tmp to your meld.local') if you want to use it as a difftool (#3551)
+# Add 'ignore private-tmp' to your meld.local if you want to use it as difftool (#3551).
 private-tmp
 read-only ${HOME}/.ssh
diff --git a/etc/profile-m-z/mutt.profile b/etc/profile-m-z/mutt.profile
index 24782c033..2c6e047d8 100644
--- a/etc/profile-m-z/mutt.profile
+++ b/etc/profile-m-z/mutt.profile
@@ -38,8 +38,7 @@ noblacklist ${HOME}/sent
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
-# Uncomment or put them in mutt.local for oauth.py,S/MIME
+# Add the next lines to your mutt.local for oauth.py,S/MIME support.
 #include allow-perl.inc
 #include allow-python2.inc
 #include allow-python3.inc
diff --git a/etc/profile-m-z/nextcloud.profile b/etc/profile-m-z/nextcloud.profile
index 4e7c902d9..53dd3a05a 100644
--- a/etc/profile-m-z/nextcloud.profile
+++ b/etc/profile-m-z/nextcloud.profile
@@ -9,7 +9,7 @@ include globals.local
 noblacklist ${HOME}/Nextcloud
 noblacklist ${HOME}/.config/Nextcloud
 noblacklist ${HOME}/.local/share/Nextcloud
-# Uncomment or put in your nextcloud.local to allow sync with more directories.
+# Add the next lines to your nextcloud.local to allow sync in more directories.
 #noblacklist ${DOCUMENTS}
 #noblacklist ${MUSIC}
 #noblacklist ${PICTURES}
@@ -30,7 +30,7 @@ mkdir ${HOME}/.local/share/Nextcloud
 whitelist ${HOME}/Nextcloud
 whitelist ${HOME}/.config/Nextcloud
 whitelist ${HOME}/.local/share/Nextcloud
-# Uncomment or put in your nextcloud.local to allow sync with more directories.
+# Add the next lines to your nextcloud.local to allow sync in more directories.
 #whitelist ${DOCUMENTS}
 #whitelist ${MUSIC}
 #whitelist ${PICTURES}
diff --git a/etc/profile-m-z/nheko.profile b/etc/profile-m-z/nheko.profile
index 2fbbef832..1b5da8d27 100644
--- a/etc/profile-m-z/nheko.profile
+++ b/etc/profile-m-z/nheko.profile
@@ -51,9 +51,11 @@ private-dev
 private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,mime.types,nsswitch.conf,pki,pulse,resolv.conf,selinux,ssl,X11,xdg
 private-tmp
+# Add the next lines to your nheko.local to enable notification support.
+#ignore dbus-user none
+#dbus-user filter
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-user none
-# Comment the above line and uncomment below lines for notification popups
-# dbus-user filter
-# dbus-user.talk org.freedesktop.Notifications
-# dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/npm.profile b/etc/profile-m-z/npm.profile
index e95e875be..f51d58782 100644
--- a/etc/profile-m-z/npm.profile
+++ b/etc/profile-m-z/npm.profile
@@ -15,7 +15,7 @@ noblacklist ${HOME}/.npm
 noblacklist ${HOME}/.npmrc
 # If you want whitelisting, change ${HOME}/Projects below to your npm projects directory
-# and uncomment the lines below.
+# and add the next lines to your npm.local.
 #mkdir ${HOME}/.node-gyp
 #mkdir ${HOME}/.npm
 #mkfile ${HOME}/.npmrc
diff --git a/etc/profile-m-z/ocenaudio.profile b/etc/profile-m-z/ocenaudio.profile
index ae18cfff9..be3618e31 100644
--- a/etc/profile-m-z/ocenaudio.profile
+++ b/etc/profile-m-z/ocenaudio.profile
@@ -26,7 +26,7 @@ apparmor
 caps.drop all
 ipc-namespace
 # net none - breaks update functionality and AppArmor on Ubuntu systems
-# uncomment (or put 'net none' in your ocenaudio.local) when needed
+# Add 'net none' to your ocenaudio.local when you want that functionality.
 #net none
 netfilter
 no3d
diff --git a/etc/profile-m-z/openmw.profile b/etc/profile-m-z/openmw.profile
index 270d64c1e..89b146619 100644
--- a/etc/profile-m-z/openmw.profile
+++ b/etc/profile-m-z/openmw.profile
@@ -22,8 +22,8 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/openmw
 mkdir ${HOME}/.local/share/openmw
 whitelist ${HOME}/.config/openmw
-# Copy Morrowind data files into the following directory or load it from /mnt
+# Copy Morrowind data files into ${HOME}/.local/share/openmw or load them from /mnt.
-# or whitelist it in a openmw.local
+# Alternatively you can whitelist custom paths in your openmw.local.
 whitelist ${HOME}/.local/share/openmw
 whitelist /usr/share/openmw
 include whitelist-common.inc
@@ -36,7 +36,7 @@ caps.drop all
 ipc-namespace
 net none
 netfilter
-# Uncomment the following line if installing from disc
+# Add 'ignore nodvd' to your openmw.local when installing from disc.
 nodvd
 nogroups
 nonewprivs
diff --git a/etc/profile-m-z/pcsxr.profile b/etc/profile-m-z/pcsxr.profile
index c25c4ae66..a6dab2a9a 100644
--- a/etc/profile-m-z/pcsxr.profile
+++ b/etc/profile-m-z/pcsxr.profile
@@ -6,7 +6,7 @@ include pcsxr.local
 # Persistent global definitions
 include globals.local
-# Note: you must whitelist your games folder in a pcsxr.local
+# Note: you must whitelist your games folder in your pcsxr.local
 noblacklist ${HOME}/.pcsxr
@@ -32,7 +32,7 @@ caps.drop all
 ipc-namespace
 net none
 netfilter
-# Uncomment the following line if not loading games from disc
+# Add the next line to your pcsxr.local when not loading games from disc.
 #nodvd
 nogroups
 nonewprivs
@@ -47,7 +47,7 @@ tracelog
 private-bin pcsxr
 private-cache
-# uncomment the following line if you do not need controller support
+# Add the next line to your pcsxr.local if you do not need controller support.
 #private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gconf,glvnd,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,nvidia,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
 private-opt none
diff --git a/etc/profile-m-z/ppsspp.profile b/etc/profile-m-z/ppsspp.profile
index 263d99c83..1f73c1d89 100644
--- a/etc/profile-m-z/ppsspp.profile
+++ b/etc/profile-m-z/ppsspp.profile
@@ -6,7 +6,7 @@ include ppsspp.local
 # Persistent global definitions
 include globals.local
-# Note: you must whitelist your games folder in a ppsspp.local
+# Note: you must whitelist your games folder in your ppsspp.local.
 noblacklist ${HOME}/.config/ppsspp
@@ -42,7 +42,7 @@ seccomp
 shell none
 private-bin ppsspp,PPSSPP,PPSSPPQt,PPSSPPSDL
-# uncomment the following line if you do not need controller support
+# Add the next line to your ppsspp.local if you do not need controller support.
 #private-dev
 private-etc alternatives,asound.conf,ca-certificates,crypto-policies,drirc,fonts,group,host.conf,hostname,hosts,ld.so.cache,ld.so.preload,localtime,machine-id,nsswitch.conf,passwd,pki,pulse,resolv.conf,ssl
 private-opt ppsspp
diff --git a/etc/profile-m-z/psi.profile b/etc/profile-m-z/psi.profile
index d3112ae95..376743b8d 100644
--- a/etc/profile-m-z/psi.profile
+++ b/etc/profile-m-z/psi.profile
@@ -6,8 +6,8 @@ include psi.local
 # Persistent global definitions
 include globals.local
-# Uncomment for GPG
+# Add the next line to your psi.local to enable GPG support.
-# noblacklist ${HOME}/.gnupg
+#noblacklist ${HOME}/.gnupg
 noblacklist ${HOME}/.cache/psi
 noblacklist ${HOME}/.cache/Psi
 noblacklist ${HOME}/.config/psi
@@ -23,28 +23,28 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-# Uncomment for GPG
+# Add the next line to your psi.local to enable GPG support.
-# mkdir ${HOME}/.gnupg
+#mkdir ${HOME}/.gnupg
 mkdir ${HOME}/.cache/psi
 mkdir ${HOME}/.cache/Psi
 mkdir ${HOME}/.config/psi
 mkdir ${HOME}/.local/share/psi
 mkdir ${HOME}/.local/share/Psi
-# Uncomment for GPG
+# Add the next line to your psi.local to enable GPG support.
-# whitelist ${HOME}/.gnupg
+#whitelist ${HOME}/.gnupg
 whitelist ${HOME}/.cache/psi
 whitelist ${HOME}/.cache/Psi
 whitelist ${HOME}/.config/psi
 whitelist ${HOME}/.local/share/psi
 whitelist ${HOME}/.local/share/Psi
 whitelist ${DOWNLOADS}
-# Uncomment for GPG
+# Add the next lines to your psi.local to enable GPG support.
-# whitelist /usr/share/gnupg
+#whitelist /usr/share/gnupg
-# whitelist /usr/share/gnupg2
+#whitelist /usr/share/gnupg2
 whitelist /usr/share/psi
-# Uncomment for GPG
+# Add the next lines to your psi.local to enable GPG support.
-# whitelist ${RUNUSER}/gnupg
+#whitelist ${RUNUSER}/gnupg
-# whitelist ${RUNUSER}/keyring
+#whitelist ${RUNUSER}/keyring
 include whitelist-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
@@ -63,11 +63,11 @@ nou2f
 protocol unix,inet,inet6,netlink
 seccomp !chroot
 shell none
-# breaks on Arch
+#tracelog - breaks on Arch
-# tracelog
 disable-mnt
-# Add "gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet" for GPG
+# Add the next line to your psi.local to enable GPG support.
+#private-bin gpg,gpg2,gpg-agent,pinentry-curses,pinentry-emacs,pinentry-fltk,pinentry-gnome3,pinentry-gtk,pinentry-gtk2,pinentry-gtk-2,pinentry-qt,pinentry-qt4,pinentry-tty,pinentry-x2go,pinentry-kwallet
 private-bin getopt,psi
 private-cache
 private-dev
diff --git a/etc/profile-m-z/rsync-download_only.profile b/etc/profile-m-z/rsync-download_only.profile
index 78159527a..4bce35d16 100644
--- a/etc/profile-m-z/rsync-download_only.profile
+++ b/etc/profile-m-z/rsync-download_only.profile
@@ -7,9 +7,8 @@ include rsync.local
 # Persistent global definitions
 include globals.local
-# Warning: This profile is writte to use rsync as an client for downloading,
+# WARNING: this profile is designed to use rsync as a client for downloading,
-# it is not writen to use rsync as an daemon (rsync --daemon) or to create backups.
+# not as a daemon (rsync --daemon) nor to create backups.
 # Usage: firejail --profile=rsync-download_only rsync
 blacklist /tmp/.X11-unix
@@ -24,7 +23,7 @@ include disable-programs.inc
 include disable-shell.inc
 include disable-xdg.inc
-# Uncomment or add to rsync.local to enable extra hardening
+# Add the next line to your rsync-download_only.local to enable extra hardening.
 #whitelist ${DOWNLOADS}
 include whitelist-var-common.inc
diff --git a/etc/profile-m-z/rtv.profile b/etc/profile-m-z/rtv.profile
index 6f971b96b..970545ff6 100644
--- a/etc/profile-m-z/rtv.profile
+++ b/etc/profile-m-z/rtv.profile
@@ -16,10 +16,9 @@ noblacklist ${HOME}/.local/share/rtv
 include allow-python2.inc
 include allow-python3.inc
-# You can configure rtv to open different type of links
+# You can configure rtv to open different type of links in external applications.
-# in external applications. Configuration here:
+# Configuration: https://github.com/michael-lazar/rtv#viewing-media-links.
-# https://github.com/michael-lazar/rtv#viewing-media-links
+# Add the next line to your rtv.local to enable external application support.
-# Uncomment or put in rtv.local for external application support
 #include rtv-addons.profile
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/profile-m-z/seahorse.profile b/etc/profile-m-z/seahorse.profile
index 065409e78..2b82e5d06 100644
--- a/etc/profile-m-z/seahorse.profile
+++ b/etc/profile-m-z/seahorse.profile
@@ -22,7 +22,7 @@ include disable-programs.inc
 include disable-xdg.inc
 # whitelisting in ${HOME} breaks file encryption feature of nautilus.
-# once #2882 is fixed this can be uncommented and nowhitelisted in seahorse-tool.profile
+# Once #2882 is fixed this can be activated here and nowhitelisted in seahorse-tool.profile.
 #mkdir ${HOME}/.gnupg
 #mkdir ${HOME}/.ssh
 #whitelist ${HOME}/.gnupg
diff --git a/etc/profile-m-z/servo.profile b/etc/profile-m-z/servo.profile
index 65da5d0de..dc3fdaf34 100644
--- a/etc/profile-m-z/servo.profile
+++ b/etc/profile-m-z/servo.profile
@@ -17,7 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
-# Add a whitelist for the directory where servo is installed and uncomment the lines below.
+# Add the next lines to your servo.local to turn this into a whitelisting profile.
+# You will need to add a whitelist for the directory where servo is installed.
 #whitelist ${DOWNLOADS}
 #include whitelist-common.inc
 include whitelist-runuser-common.inc
diff --git a/etc/profile-m-z/spectacle.profile b/etc/profile-m-z/spectacle.profile
index 73d2556ac..144763332 100644
--- a/etc/profile-m-z/spectacle.profile
+++ b/etc/profile-m-z/spectacle.profile
@@ -6,7 +6,7 @@ include spectacle.local
 # Persistent global definitions
 include globals.local
-# Uncomment the following lines to use sharing services.
+# Add the next lines to your spectacle.local to use sharing services.
 #netfilter
 #ignore net none
 #private-etc ca-certificates,crypto-policies,pki,resolv.conf,ssl
diff --git a/etc/profile-m-z/spectral.profile b/etc/profile-m-z/spectral.profile
index 093661d8c..bf0f9f3a1 100644
--- a/etc/profile-m-z/spectral.profile
+++ b/etc/profile-m-z/spectral.profile
@@ -50,8 +50,9 @@ private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,
 private-tmp
 dbus-user none
-# Comment the above line and uncomment below lines for notification popups
+# Add the next lines to your spectral.local to enable notification support.
-# dbus-user filter
+#ignore dbus-user none
-# dbus-user.talk org.freedesktop.Notifications
+#dbus-user filter
-# dbus-user.talk org.kde.StatusNotifierWatcher
+#dbus-user.talk org.freedesktop.Notifications
+#dbus-user.talk org.kde.StatusNotifierWatcher
 dbus-system none
diff --git a/etc/profile-m-z/supertuxkart.profile b/etc/profile-m-z/supertuxkart.profile
index 1b20f5d3d..6a0ed46e0 100644
--- a/etc/profile-m-z/supertuxkart.profile
+++ b/etc/profile-m-z/supertuxkart.profile
@@ -50,7 +50,7 @@ tracelog
 disable-mnt
 private-bin supertuxkart
 private-cache
-# uncomment the following line if you do not need controller support
+# Add the next line to your supertuxkart.local if you do not need controller support.
 #private-dev
 private-etc alternatives,ca-certificates,crypto-policies,drirc,hosts,machine-id,openal,pki,resolv.conf,ssl
 private-tmp
diff --git a/etc/profile-m-z/sylpheed.profile b/etc/profile-m-z/sylpheed.profile
index 50506d100..328812b04 100644
--- a/etc/profile-m-z/sylpheed.profile
+++ b/etc/profile-m-z/sylpheed.profile
@@ -19,7 +19,7 @@ dbus-user filter
 dbus-user.talk ca.desrt.dconf
 dbus-user.talk org.freedesktop.secrets
 dbus-user.talk org.gnome.keyring.SystemPrompter
-# Uncomment below for notifications (or put them in your sylpheed.local)
+# Add the next line to your sylpheed.local to enable notifications.
 # dbus-user.talk org.freedesktop.Notifications
 # Redirect
diff --git a/etc/profile-m-z/torbrowser-launcher.profile b/etc/profile-m-z/torbrowser-launcher.profile
index 5cb5caf8d..3cbfe8d8b 100644
--- a/etc/profile-m-z/torbrowser-launcher.profile
+++ b/etc/profile-m-z/torbrowser-launcher.profile
@@ -37,7 +37,7 @@ include whitelist-var-common.inc
 include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
-# Uncomment the line below or put 'apparmor' in your torbrowser-launcher.local.
+# Add 'apparmor' to your torbrowser-launcher.local to enable AppArmor support.
 # IMPORTANT: the relevant rule in /etc/apparmor.d/local/firejail-default will need
 # to be uncommented too for this to work as expected.
 #apparmor
@@ -53,8 +53,7 @@ novideo
 protocol unix,inet,inet6
 seccomp !chroot
 shell none
-# tracelog may cause issues, see github issue #1930
+#tracelog - may cause issues, see #1930
-#tracelog
 disable-mnt
 private-bin bash,cat,cp,cut,dirname,env,expr,file,gpg,grep,gxmessage,id,kdialog,ln,mkdir,mv,python*,rm,sed,sh,tail,tar,tclsh,test,tor-browser,tor-browser-en,torbrowser-launcher,update-desktop-database,xmessage,xz,zenity
diff --git a/etc/profile-m-z/vmware-view.profile b/etc/profile-m-z/vmware-view.profile
index 0117af376..0cb6d34d2 100644
--- a/etc/profile-m-z/vmware-view.profile
+++ b/etc/profile-m-z/vmware-view.profile
@@ -37,9 +37,8 @@ nonewprivs
 noroot
 notv
 nou2f
-# Comment novideo (or add 'ignore novideo' to your vmware-view.local) if you need your webcam
+# Add 'ignore novideo' to your vmware-view.local if you need your webcam.
 novideo
-# protocol produces a lot error messages but nothing seems to be broken
 protocol unix,inet,inet6
 seccomp !iopl
 seccomp.block-secondary
@@ -50,8 +49,7 @@ disable-mnt
 private-cache
 private-dev
 private-etc alsa,alternatives,asound.conf,bumblebee,ca-certificates,crypto-policies,dconf,drirc,fonts,gai.conf,gconf,glvnd,group,gtk-2.0,gtk-3.0,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,login.defs,machine-id,magic,magic.mgc,mime.types,nsswitch.conf,nvidia,pango,passwd,pki,protocols,proxychains.conf,pulse,resolv.conf,rpc,services,ssl,terminfo,vmware,vmware-tools,vmware-vix,X11,xdg
-# Logs are "stored" in /tmp, comment (or add 'ignore private-tmp' to your vmware-view.local)
+# Logs are kept in /tmp. Add 'ignore private-tmp' to your vmware-view.local if you need them without joining the sandbox.
-# if you need them without joining the sandbox.
 private-tmp
 dbus-user none
diff --git a/etc/profile-m-z/vmware.profile b/etc/profile-m-z/vmware.profile
index d00e16fef..5241e27b3 100644
--- a/etc/profile-m-z/vmware.profile
+++ b/etc/profile-m-z/vmware.profile
@@ -21,7 +21,7 @@ mkdir ${HOME}/.cache/vmware
 mkdir ${HOME}/.vmware
 whitelist ${HOME}/.cache/vmware
 whitelist ${HOME}/.vmware
-# Uncomment the following if you need to use "shared VM"
+# Add the next lines to your vmware.local if you need to use "shared VM".
 #whitelist /var/lib/vmware
 #writable-var
 include whitelist-common.inc
@@ -37,6 +37,7 @@ shell none
 tracelog
 #disable-mnt
+# Add the next line to your vmware.local to enable private-bin.
 #private-bin env,bash,sh,ovftool,vmafossexec,vmaf_*,vmnet-*,vmplayer,vmrest,vmrun,vmss2core,vmstat,vmware,vmware-*
 private-etc alsa,asound.conf,ca-certificates,conf.d,crypto-policies,dconf,fonts,gtk-2.0,gtk-3.0,hostname,hosts,ld.so.cache,localtime,machine-id,passwd,pki,pulse,resolv.conf,ssl,vmware,vmware-installer,vmware-vix
 dbus-user none
diff --git a/etc/profile-m-z/w3m.profile b/etc/profile-m-z/w3m.profile
index 0e172333a..a43835944 100644
--- a/etc/profile-m-z/w3m.profile
+++ b/etc/profile-m-z/w3m.profile
@@ -7,7 +7,7 @@ include w3m.local
 # Persistent global definitions
 include globals.local
-# Uncomment or add to your w3m.local if you want to use w3m-img on a vconsole
+# Add the next lines to your w3m.local if you want to use w3m-img on a vconsole.
 #ignore nogroups
 #ignore private-dev
 #ignore private-etc
diff --git a/etc/profile-m-z/waterfox.profile b/etc/profile-m-z/waterfox.profile
index c6c940fa3..18f1ca79a 100644
--- a/etc/profile-m-z/waterfox.profile
+++ b/etc/profile-m-z/waterfox.profile
@@ -13,14 +13,15 @@ mkdir ${HOME}/.waterfox
 whitelist ${HOME}/.cache/waterfox
 whitelist ${HOME}/.waterfox
-# Uncomment (or add to watefox.local) the following lines if you want to
+# Add the next lines to your watefox.local if you want to use the migration wizard.
-# use the migration wizard.
 #noblacklist ${HOME}/.mozilla
 #whitelist ${HOME}/.mozilla
 # waterfox requires a shell to launch on Arch. We can possibly remove sh though.
+# Add the next line to your waterfox.local to enable private-bin.
 #private-bin bash,dbus-launch,dbus-send,env,sh,waterfox,waterfox-classic,waterfox-current,which
-# private-etc must first be enabled in firefox-common.profile
+# Add the next line to your waterfox.local to enable private-etc. Note that private-etc must first be
+# enabled in your firefox-common.local.
 #private-etc waterfox
 # Redirect
diff --git a/etc/profile-m-z/wget.profile b/etc/profile-m-z/wget.profile
index f67d28618..8a7042f59 100644
--- a/etc/profile-m-z/wget.profile
+++ b/etc/profile-m-z/wget.profile
@@ -21,7 +21,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-shell.inc
-# depending on workflow you can uncomment the below or put 'include disable-xdg.inc' in your wget.local
+# Depending on workflow you can add the next line to your wget.local.
 #include disable-xdg.inc
 include whitelist-usr-share-common.inc
@@ -50,7 +50,7 @@ tracelog
 private-bin wget
 private-cache
 private-dev
-# depending on workflow you can uncomment the below or put this private-etc in your wget.local
+# Depending on workflow you can add the next line to your wget.local.
 #private-etc alternatives,ca-certificates,crypto-policies,pki,resolv.conf,ssl,wgetrc
 #private-tmp
diff --git a/etc/profile-m-z/wine.profile b/etc/profile-m-z/wine.profile
index 6ac74b9da..67427209f 100644
--- a/etc/profile-m-z/wine.profile
+++ b/etc/profile-m-z/wine.profile
@@ -24,8 +24,7 @@ include disable-programs.inc
 # include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
-# some applications don't need allow-debuggers, comment the next line
+# Some applications don't need allow-debuggers. Add 'ignore allow-debuggers' to your wine.local if you want to override this.
-# if it is not necessary (or put 'ignore allow-debuggers' in your wine.local)
 allow-debuggers
 caps.drop all
 # net none
diff --git a/etc/profile-m-z/wps.profile b/etc/profile-m-z/wps.profile
index 6e4a313e3..2b97d5b0a 100644
--- a/etc/profile-m-z/wps.profile
+++ b/etc/profile-m-z/wps.profile
@@ -23,7 +23,7 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
 machine-id
-# Uncomment the next line (or add to wps.local) if you don't use network features.
+# Add the next line to your wps.local if you don't use network features.
 #net none
 netfilter
 no3d
@@ -36,7 +36,7 @@ notv
 nou2f
 novideo
 protocol unix,inet,inet6
-# seccomp cause some minor issues, if you can live with them enable it.
+# seccomp causes some minor issues. Add the next line to your wps.local if you can live with those.
 #seccomp
 shell none
 tracelog
diff --git a/etc/profile-m-z/yarn.profile b/etc/profile-m-z/yarn.profile
index f20225050..360bd8442 100644
--- a/etc/profile-m-z/yarn.profile
+++ b/etc/profile-m-z/yarn.profile
@@ -13,7 +13,8 @@ noblacklist ${HOME}/.yarn-config
 noblacklist ${HOME}/.yarncache
 noblacklist ${HOME}/.yarnrc
-# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and uncomment the lines below.
+# If you want whitelisting, change ${HOME}/Projects below to your yarn projects directory and
+# add the next lines to you yarn.local.
 #mkdir ${HOME}/.yarn
 #mkdir ${HOME}/.yarn-config
 #mkdir ${HOME}/.yarncache
diff --git a/etc/profile-m-z/yelp.profile b/etc/profile-m-z/yelp.profile
index 479582b2a..a08a30b52 100644
--- a/etc/profile-m-z/yelp.profile
+++ b/etc/profile-m-z/yelp.profile
@@ -33,14 +33,14 @@ include whitelist-var-common.inc
 apparmor
 caps.drop all
-# machine-id breaks sound - uncomment here or put it in your yelp.local if you don't need it
+# machine-id breaks sound - add the next line to your yelp.local if you don't need sound support.
 #machine-id
 net none
 nodvd
 nogroups
 nonewprivs
 noroot
-# nosound - uncomment here or put it in your yelp.local if you don't need it
+# nosound - add the next line to your yelp.local if you don't need sound support.
 #nosound
 notv
 nou2f
@@ -66,11 +66,11 @@ dbus-system none
 # read-only ${HOME} breaks some features:
 #  1. yelp --editor-mode
 #  2. saving the window geometry
-# comment the line below or put 'ignore read-only ${HOME}' into your yelp.local if you need these features
+# add 'ignore read-only ${HOME}' to your yelp.local if you need these features.
 read-only ${HOME}
 read-write ${HOME}/.cache
 #  3. printing to PDF in ${DOCUMENTS}
-# additionally uncomment the lines below or put 'noblacklist ${DOCUMENTS}' and
+# additionally add 'noblacklist ${DOCUMENTS}' and 'whitelist ${DOCUMENTS}' to
-# 'whitelist ${DOCUMENTS}' into your yelp.local if you need printing to PDF support
+# your yelp.local if you need PDF printing support.
 #noblacklist ${DOCUMENTS}
 #whitelist ${DOCUMENTS}
diff --git a/etc/profile-m-z/zoom.profile b/etc/profile-m-z/zoom.profile
index e8cd64c93..ac615d861 100644
--- a/etc/profile-m-z/zoom.profile
+++ b/etc/profile-m-z/zoom.profile
@@ -6,14 +6,14 @@ include zoom.local
 # Persistent global definitions
 include globals.local
-# Disabled until someone reported positive feedback
+# Disabled until someone reports positive feedback.
 ignore apparmor
 ignore novideo
 ignore dbus-user none
 ignore dbus-system none
 # nogroups breaks webcam access on non-systemd systems (see #3711).
-# If you use such a system uncomment the line below or put 'ignore nogroups' in your zoom.local
+# If you use such a system, add 'ignore nogroups' to your zoom.local.
 #ignore nogroups
 noblacklist ${HOME}/.config/zoomus.conf