Mention when the security releease workflow is not needed

What does this MR do?

It's not rare that I feel like at least one MR in a security release could have gone directly to canonical. In the spirit of efficiency, because the security release workflow is very cumbersome, I added a line to make it clear that people can and should question if something needs to be included in the workflow.

It's a balance, things that need to go in the security release really need to go in it and I appreciate the general caution everyone has but I also want to save everyone as much time as possible as each of those MR requires extra time for the engineer implementing the fix, the maintainers reviewing the backports, the release managers and the security engineers.