Update docs/user-guide/plugins.md

Co-authored-by: Ben Drucker <[email protected]>

docs/user-guide/plugins.md

@@ -141,4 +141,4 @@ If the plugin developer has generated [Artifact Attestations](https://docs.githu
 
 This verification is experimental and optional: it is only attempted if there is no PGP public signing key, and if there is no artifact attestation, a warning will be output, not an error. If you want to require all plugin installs to be signed with a PGP signing key or an artifact attestation, you can force this behavior to be enabled by setting the `TFLINT_EXPERIMENTAL=1`. This behavior will be the default in future versions, but is subject to change without notice.
 
-Note that this validation, like the PGP signing key, does not guarantee that the plugin is secure. Moreover it only guarantees the repository it was built from, not the signer, so it is not secure if an attacker has control over the repository.
+Note that this validation, like the PGP signing key, does not guarantee that the plugin is secure. It only attests the source repository/revision from which it was built. It prevents direct upload of malicious release artifacts to GitHub or manipulation of download requests. If an attacker has control over the repository and can perform execution during a build, any resulting malicious release will still be considered "verified."