doc: trust FFI in the threat model

Signed-off-by: Paolo Insogna <paolo@cowtech.it>

Author: ShogunPanda

SECURITY.md

@@ -230,6 +230,7 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
   related to these functions that rely on unsanitized input are not considered vulnerabilities
   requiring CVEs, as it's the user's responsibility to sanitize path inputs according to
   their security requirements.
+* The shared objects, libraries and code loaded via `node:ffi`.
 
 Any unexpected behavior from the data manipulation from Node.js Internal
 functions may be considered a vulnerability if they are exploitable via