doc: use stronger language about security of vm

PR-URL: #23198
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: John-David Dalton <[email protected]>
Reviewed-By: Trivikram Kamat <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>

Author: devsnek

doc/api/vm.md

@@ -7,7 +7,10 @@
 <!--name=vm-->
 
 The `vm` module provides APIs for compiling and running code within V8 Virtual
-Machine contexts.
+Machine contexts. **Note that the `vm` module is not a security mechanism. Do
+not use it to run untrusted code**. The term "sandbox" is used throughout these
+docs simply to refer to a separate context, and does not confer any security
+guarantees.
 
 JavaScript code can be compiled and run immediately or
 compiled, saved, and run later.
@@ -40,9 +43,6 @@ console.log(sandbox.y); // 17
 console.log(x); // 1; y is not defined.
 ```
 
-**The vm module is not a security mechanism. Do not use it to run untrusted
-code**.
-
 ## Class: vm.SourceTextModule
 <!-- YAML
 added: v9.6.0