feat: add threat model document

[andreynering]

Add a THREAT_MODEL.md that identifies security threats, assets, and mitigations for the Task project. Follows the same style as INCIDENT_RESPONSE_PLAN.md and includes Task-specific concerns such as remote Taskfile fetching, distribution channels, and shell execution.

💘 Generated with Crush

Assisted-by: Kimi K2.6 via Crush crush@charm.land

---

• Preview: https://github.com/go-task/.github/blob/threat-model/THREAT_MODEL.md

My prompt to Kimi K2.6:

Generate a THREAT_MODEL.md.

• We want this to be relatively short.
• It should mostly follow the same written style of the existing INCIDENT_RESPONSE_PLAN.md.
• Use this one as inspiration: https://github.com/goreleaser/goreleaser-pro/blob/main/THREAT_MODEL.md
• This is a .github repository. The actual project is on /Users/andrey/Developer/task/task, feel free to investigate the project.

[pd93]

I think we can add a link to this from the SECURITY.md file. Also, once we're happy with this, we should add it to our website like the IRP.