SECURITY.md: context on when private disclosure is relevant for privacy/security spec issues

[npdoty]

It would be a radical change for every privacy and security issue in a privacy-related spec under development to be reported privately; I don't think that's what's intended here, but we should be explicit about it. Feedback and iteration would be much slower, and chairs would become a bottleneck.

Maybe instead we could give guidance on when it might be useful to provide feedback privately instead of through normal spec development (say, a vulnerability in a widely-shipped implemented feature, where you don't believe attackers are already exploiting it and where it needs to be resolved privately by implementers and spec authors in a coordinated way).

(as previously noted here: privacycg/admin#11)