Add privacy recommendation to autofill/autocomplete attribute

[alvaromontoro]

The way browsers implement the autofill, the values of auto-filled form fields can be read programmatically (they even trigger the change and input events) in the same way the fields would behave if the user had modified the control's data manually. This follows the processing model description:

The autocompletion mechanism must be implemented by the user agent acting as if the user had modified the control's data, [...]

But it also leads to a potential privacy issue: developers can get the user's personal data without the user's explicit consent (before the form is actually submitted). Therefore, a recommendation for user agents should be added, stating that they may/should implement measures to prevent such behavior.

The idea would be for the notice to be similar to the one from CSS :visited pseudo-class:

Since it is possible for style sheet authors to abuse the :link and :visited pseudo-classes to determine which sites a user has visited without the user’s consent, UAs may treat all links as unvisited links or implement other measures to preserve the user’s privacy while rendering visited and unvisited links differently.

Maybe something in the line of:

Since it is possible for authors to abuse the auto-filled information to obtain data without the user's consent before the form is submitted, UAs may treat all auto-filled fields as empty fields or implement other measures to preserve the user's privacy and protect personal information from being read before submission.

This recommendation/warning would be different from #3719 as it affects both visible and non-visible fields.

[annevk]

We should also annotate it as a https://infra.spec.whatwg.org/#tracking-vector.