Create a threat model akin to the SLSA threat model for package repository security

[michaelwinser]

The SLSA threat model has been the hub to almost all SLSA work and creates a clear context for requirements and guidance. The Principles for Package Repository Security document would benefit from such a threat model. It would also help frame discussions in package repository communities that are debating various security measures.