Document threat model + security invariants

[QuinnWilton]

Being explicit about our threat model + our security and privacy invariants is important for grounding discussion of security issues in the spec, and for clearly communicating the limitations of the project to users.

Good examples to draw on are Quiet's threat modeling, and Soatok's E2EE spec for Mastodon.

[matheus23]

More reading: https://github.com/defuse/ictm (Putting this here mostly for myself as a bookmark for what format to follow)