doc: trust FFI in the threat model

Signed-off-by: Paolo Insogna <paolo@cowtech.it>
PR-URL: #62852
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>

Author: ShogunPanda

SECURITY.md

@@ -213,7 +213,7 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
   along with anything under the control of the operating system.
 * The code it is asked to run, including JavaScript, WASM and native code, even
   if said code is dynamically loaded, e.g., all dependencies installed from the
-  npm registry.
+  npm registry or libraries loaded via `node:ffi`.
   The code run inherits all the privileges of the execution user.
 * Inputs provided to it by the code it is asked to run, as it is the
   responsibility of the application to perform the required input validations,