doc: explicit mention arbitrary code execution as a vuln

This request came from Github Open Source Secure and
it's always welcome to clarify the policy

PR-URL: #57426
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

Author: RafaelGSS

SECURITY.md

@@ -141,6 +141,9 @@ a security vulnerability. Examples of unwanted actions are polluting globals,
 causing an unrecoverable crash, or any other unexpected side effects that can
 lead to a loss of confidentiality, integrity, or availability.
 
+For example, if trusted input (like secure application code) is correct,
+then untrusted input must not lead to arbitrary JavaScript code execution.
+
 **Node.js trusts everything else**. Examples include:
 
 * The developers and infrastructure that runs it.