docs: update secuirty threat model

[jasonsaayman]

Summary by cubic

Adds a comprehensive THREATMODEL.md and links it from SECURITY.md to clarify axios’ runtime and supply‑chain risks, mitigations, and non‑goals for researchers and maintainers.

Description

• Summary of changes

  • Added THREATMODEL.md detailing runtime and project/SDLC models, assets, threats, mitigations, and explicit non‑goals.
  • Updated SECURITY.md with a “Threat Model” section linking to the doc and scoping guidance for researchers.

• Reasoning

  • Set clear expectations for what’s in scope, common misuse patterns, and known gaps.
  • Highlights top project risks (T‑S2: dev‑dep lifecycle scripts; T‑S3: phishing) and practical maintainer mitigations (--ignore-scripts, no publish tokens on laptops, WebAuthn).

• Additional context

  • Docs‑only; no runtime or build changes.
  • Calls out important defaults callers should consider setting (e.g., maxContentLength, maxBodyLength, allowAbsoluteUrls).

Docs

• New THREATMODEL.md and cross‑link from SECURITY.md.
• Follow‑ups suggested in the doc: add CODEOWNERS for sensitive paths, consider reproducible‑build verification, and confirm tag protection on v*.

Testing

• No tests added; not needed for docs‑only changes.
• Verified SECURITY.md link to THREATMODEL.md.

^{Written for commit a55df98. Summary will update on new commits.}