Draft: Add note about feature flags

Suggesting a change in the context of https://gitlab.com/gitlab-com/gl-security/appsec/appsec-team/-/issues/132

It's rare, but some security fixes require to fundamentally change how a feature works and this is disruptive to customers who used the feature in its insecure state.

Waiting the next major release for a breaking change can sometimes take too long and publicly announcing the breaking change as we tend to do for those would put our customers at risk by putting the details of the vulnerability out in the open.

The proposal is to handle those changes with a feature flag that defaults to the secure state, but leaves the door open for customers to use the insecure configuration while they adapt to the new behavior. We should explain clearly the potential consequences of using the insecure configuration.