docs(pipelines): explain that CDK Pipelines is not a security mechanism (#24925)

By its nature, developers will always be able to influence CDK Pipelines. If more guarantees are necessary, they should be configured from the outside.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/aws-cdk-lib/pipelines/README.md

@@ -1291,6 +1291,15 @@ We therefore expect you to mind the following:
   come with CDK Pipelines will expect `package-lock.json` and `yarn.lock` to
   ensure your dependencies are the ones you expect.
 
+- CDK Pipelines runs on resources created in your own account, and the configuration
+  of those resources is controlled by developers submitting code through the pipeline.
+  Therefore, CDK Pipelines by itself cannot protect against malicious
+  developers trying to bypass compliance checks. If your threat model includes
+  developers writing CDK code, you should have external compliance mechanisms in place like
+  [AWS CloudFormation Hooks](https://aws.amazon.com/blogs/mt/proactively-keep-resources-secure-and-compliant-with-aws-cloudformation-hooks/)
+  (preventive) or [AWS Config](https://aws.amazon.com/config/) (reactive) that
+  the CloudFormation Execution Role does not have permissions to disable.
+
 - Credentials to production environments should be short-lived. After
   bootstrapping and the initial pipeline provisioning, there is no more need for
   developers to have access to any of the account credentials; all further