diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go
index 12ce411131..a9a2425fd1 100644
--- a/agent/xds/rbac.go
+++ b/agent/xds/rbac.go
@@ -296,15 +296,16 @@ func (p *rbacPermission) Flatten() *envoy_rbac_v3.Permission {
 	return andPermissions(parts)
 }
 
+// simplifyNotSourceSlice will collapse NotSources elements together if any element is
+// a subset of another.
+// For example "default/web" is a subset of "default/*" because it is covered by the wildcard.
 func simplifyNotSourceSlice(notSources []structs.ServiceName) []structs.ServiceName {
 	if len(notSources) <= 1 {
 		return notSources
 	}
 
-	// Collapse NotSources elements together if any element is a subset of
-	// another.
-
 	// Sort, keeping the least wildcarded elements first.
+	// More specific elements have a higher precedence over more wildcarded elements.
 	sort.SliceStable(notSources, func(i, j int) bool {
 		return countWild(notSources[i]) < countWild(notSources[j])
 	})
diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go
index 44fac77334..9d182022e3 100644
--- a/agent/xds/rbac_test.go
+++ b/agent/xds/rbac_test.go
@@ -887,14 +887,3 @@ func makeServiceNameSlice(slice []string) []structs.ServiceName {
 	}
 	return out
 }
-
-func unmakeServiceNameSlice(slice []structs.ServiceName) []string {
-	if len(slice) == 0 {
-		return nil
-	}
-	var out []string
-	for _, src := range slice {
-		out = append(out, src.String())
-	}
-	return out
-}