Clarify why builder level is meaningful in threats

[TomHennen]

          This is a great place to expand. Thanks for starting this.

I think the mitigation for this is essentially:

• Have a way to know what "correct" looks like for this resourceUri.
  • If you have access to such a thing, you can verify the artifact yourself by inspecting the data in the provenance attestation.
  • If you do not, you must rely on a VSA with access to definition of "correct"
  • If you do not have either, you cannot know whether the artifact is safe to use, even if it was SLSA Build L3

I think in the example below "build L3" is conflated with "built in the correct way" which is not necessarily the case.

Originally posted by @zachariahcox in #1191 (comment)

[TomHennen]

I think what we want to do is clarify in 'Mitigation' that the user setting a specific builder expectation protects them from vulnerabilities in other builders and a high level builder makes some vulnerabilities less likely.

We should probably update both G and F here.