Add advisory note to Security/Privacy review about developer controlled text in Trusted UI.

[travisleithead]

Last note from TAG review: w3ctag/design-reviews#279

In the explainer there is a note about the UA should take steps to ensure that the content that originates from the web app is distinctly separate from the trusted UI elements as rendered by the UA. Another concern that led to browsers all-but-removing the rendering of beforeunload's status message (used in the user agent's dialog), is that fields like "title" are potential attack surface.

This issue is to suggest that the spec add a note to that effect in the Security and Privacy section. I don't believe there's a lot more the spec can offer by way of suggestions for mitigating this vulnerability. But, I think it's important for potential implementers of the spec to be aware and think about the problem.

Thanks!