diff --git a/public/domain.te b/public/domain.te
index 931a045cf..35f03ee29 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -661,18 +661,21 @@ full_treble_only(`
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
+  #
+  # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
   neverallow {
     appdomain
     -coredomain
   } {
     service_manager_type
+
     -app_api_service
+    -vendor_service # must be @VintfStability to be used by an app
     -ephemeral_app_api_service
+
     -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
     -cameraserver_service
-    -hal_gnss_service # TODO(b/169256910) remove once all violators are gone
     -drmserver_service
-    -hal_light_service # TODO(b/148154485) remove once all violators are gone
     -credstore_service
     -keystore_service
     -mediadrmserver_service