Document the security of tomllib for untrusted input

[opk12]

Documentation

The documentation for tomllib should be explicit on whether untrusted input is safe to parse, or what features should be avoided.

Linked PRs

• gh-111264: Add a note about untrusted input to tomllib docs #146209

[hukkin]

In PR #96499 json docs added the warning

Warning
Be cautious when parsing JSON data from untrusted sources. A malicious JSON string may cause
the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is
recommended. 

as response to CVE-2020-10735 (cpython issue #95778).

The countermeasures already exist in v3.11.0 where tomllib first appears so it's not vulnerable to that particular threat at least.

[encukou]

Let's add a similar note. Perhaps not as a warning -- it's more about communicating what to worry about when dealing with untrusted data (it might make the fan spin but won't format your disk), but also a reminder that you should think about how trusted your data is, plus a basic precaution.