We need to document that VS Code extensoins do not run sandboxed.

In addition to these, we should document what we are doing to invest in extension security, and what signals can users use when deciding what extension to install.