* docs: document threat model and trust boundaries in security policy
Clarify that pnpm's security boundary is filesystem permissions and that
reports assuming pre-existing write access to the store, lockfile,
node_modules, or config files are out of scope. Explain that the
content-addressable store's integrity check is corruption detection, not
tamper resistance against a write-capable local adversary, since the
recorded hashes live in the same trust domain as the files.
* docs: route pacquet and pnpr security reports to regular issues
