Iterate on the Business Objectives and Non-Goals of Tracking Vulnerabilities Across Multiple Branches

The following discussion from !12117 (merged) should be addressed:

@theoretick started a discussion: (+2 comments)
@ghavenga This looks great, thank you for putting it together!!

I left a lot of nitpicks. Normally nitpicks are non-blocking but I would strongly consider them in this case as it's critical for this first pass to be extremely clear for a couple reasons
1. Internal/external stakeholders need to clearly understand the problems and proposals
2. Clarity in wording can make sure we are all well-aligned
Outside of that, this is a great first step to outlining the goals and current commit-based proposal. Some non-blocking things I'd really like to see either in this MR or in a follow-up
1. Business Objectives - Fleshing these out to better describe usecases we are aiming to solve. I described one but such examples help frame the solution.
2. Non-goals - we touch on the in the mitigations but it can be really helpful to outline what we don't plan on solving here. Some ideas:
  1. We can explicitly say "we don't plan on supporting all branches" (and link to the mitigation section)
  2. We can say whether or not this scope includes multi-branch dependency lists¹
  3. We can say whether we plan on solving separate identity/access management (It's okay if we don't if we want the blueprint to be focused on the data layer)
  4. We can say whether or not we support multi-branch exports

I missed this before but the epic actually does include Dependency Lists in the current proposal. ↩