[vault-contract] Document external contract address trust assumptions

[Villarley]

Based on SECURITY_AUDIT_VAULT_CONTRACT-V1.0.0.md (finding F-08).

Severity: Medium

Summary

Document that the deployer must use trusted token and USDC addresses. Optionally validate against a registry if available.

Acceptance criteria

• Add documentation to README or deployment docs about trusted addresses
• Optionally: add validation against token registry if ecosystem provides one