diff --git a/Doc/library/sys.rst b/Doc/library/sys.rst
index a0621d4b0dbd09..41d6b32110b63f 100644
--- a/Doc/library/sys.rst
+++ b/Doc/library/sys.rst
@@ -1996,6 +1996,8 @@ always available. Unless explicitly noted otherwise, all variables are read-only
    and minor version as the local process. If either the local or remote
    interpreter is pre-release (alpha, beta, or release candidate) then the
    local and remote interpreters must be the same exact version.
+   The temporary script file is created with restrictive permissions (typically
+   ``0o600``). The target process must be able to read this file.
 
    .. audit-event:: sys.remote_exec pid script_path
 
@@ -2013,10 +2015,22 @@ always available. Unless explicitly noted otherwise, all variables are read-only
       This event is raised in the remote process, not the one
       that called :func:`sys.remote_exec`.
 
+   Callers should adjust permissions before calling, for example::
+
+      import os
+      import tempfile
+      import sys
+
+      with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as f:
+          f.write("print('Hello from remote!')")
+          f.flush()
+          os.chmod(f.name, 0o644)  # Readable by group/other
+          sys.remote_exec(pid, f.name)
+      os.unlink(f.name)  # Cleanup
+
    .. availability:: Unix, Windows.
    .. versionadded:: 3.14
 
-
 .. function:: _enablelegacywindowsfsencoding()
 
    Changes the :term:`filesystem encoding and error handler` to 'mbcs' and