docs: add threat model document

[pichlermarc]

Which problem is this PR solving?

We currently don't really define what is and what is not a vulnerability. Inspired by Node.js' SECURITY.md, this PR introduces a THREAT_MODEL.md as an extension of our security policy.

This PR is mainly intended to be a place of discussion for now, and I don't expect this to merge as-is.

I think it makes sense to generalize this in the future and have one Threat Model document for Language SIGs, since the challenges will be similar across all of them (the concepts of API/SDK and Instrumentations exist almost everywhere).

Disclouse of AI use: I used Claude Sonnet 4.6 to help me write that text from a bullet-point list that I've drafted.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.78%. Comparing base (cd61788) to head (4a57c5f).
⚠️ Report is 20 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6676      +/-   ##
==========================================
- Coverage   95.48%   94.78%   -0.71%     
==========================================
  Files         370      374       +4     
  Lines       12160    12439     +279     
  Branches     2805     2841      +36     
==========================================
+ Hits        11611    11790     +179     
- Misses        549      649     +100     

see 13 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mx-psi]

Hello! I have been working on a more general document related to the OpenTelemetry security model which is now publicly available over at open-telemetry/sig-security/pull/261. I would appreciate your feedback there, thanks!