Secret Detection docs should make it clear which commits are scanned

Problem to solve

Secret detection scanning behavior can depend on the pipeline config and whether SECRET_DETECTION_HISTORIC_SCAN. We should make it super clear which commits are scanned under which circumstances.

Further details

• I wasn't sure about whether this comment was correct (scanning only one commit) and couldn't find an unambiguous statement: #357453 (comment 896778057)
• Confusion around which commits were scanned in MR pipelines came up in this recent issue: #356093 (comment 884585255)
• Slack thread (team members only) surfaced customer confusion about behavior

Proposal

Add a section, or edit existing content, that explicitly addresses the question, "Which commits are scanned in a Secret Detection job?"

This section should link to related config options.

Who can address the issue

Need a technical summary from Category:Secret Detection expert. After that, anyone can address the documentation issue.

Other links/references