doc: trust FFI in the threat model

Signed-off-by: Paolo Insogna <[email protected]>
PR-URL: #62852
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>

Author: ShogunPanda

SECURITY.md

@@ -213,7 +213,7 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
   along with anything under the control of the operating system.
 * The code it is asked to run, including JavaScript, WASM and native code, even
   if said code is dynamically loaded, e.g., all dependencies installed from the
-  npm registry.
+  npm registry or libraries loaded via `node:ffi`.
   The code run inherits all the privileges of the execution user.
 * Inputs provided to it by the code it is asked to run, as it is the
   responsibility of the application to perform the required input validations,