This gives a baseline for future changes, e.g., expanding where
namespace ACLs are used, switching access control to
untrusted-by-default.

The "Security considerations" section  was adapted from

    https://github.com/fluxcd/flux2/pull/2086



Signed-off-by: Michael Bridgen <michael@weave.works>