Add worker isolation docs, update limits/pricing pages, and remove old changelog page (#24275)

* Add worker isolation docs, update limits/pricing pages, and remove old changelog page

* Update src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/worker-isolation.mdx

Co-authored-by: Brendan Irvine-Broque <[email protected]>

* Update src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/worker-isolation.mdx

Co-authored-by: Brendan Irvine-Broque <[email protected]>

* address comments

---------

Co-authored-by: Brendan Irvine-Broque <[email protected]>

Author: dinasaur404

src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/changelog.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: concept
 title: Limits
 sidebar:
-  order: 1
+  order: 2
 
 ---
 
@@ -14,7 +14,9 @@ Cloudflare provides an unlimited number of scripts for Workers for Platforms cus
 
 ## `cf` object
 
-The [`cf` object](/workers/runtime-apis/request/#the-cf-property-requestinitcfproperties) contains Cloudflare-specific properties of a request. This field is not accessible in [user Workers](/cloudflare-for-platforms/workers-for-platforms/reference/how-workers-for-platforms-works/#user-workers) because some fields in this object are sensitive and can be used to manipulate Cloudflare features (for example, `cacheKey`, `resolveOverride`, `scrapeShield`.)
+The [`cf` object](/workers/runtime-apis/request/#the-cf-property-requestinitcfproperties) contains Cloudflare-specific properties of a request. This field is not accessible in [user Workers](/cloudflare-for-platforms/workers-for-platforms/reference/how-workers-for-platforms-works/#user-workers) by default because some fields in this object are sensitive and can be used to manipulate Cloudflare features (for example, `cacheKey`, `resolveOverride`, `scrapeShield`.)
+
+To access the `cf` object, you need to enable [trusted mode](/cloudflare-for-platforms/workers-for-platforms/platform/worker-isolation/#trusted-mode) for your namespace. Only enable this if you control all Worker code in the namespace.
 
 ## Durable Object namespace limits
 

src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/limits.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: concept
 title: Pricing
 sidebar:
-  order: 1
+  order: 3
 
 ---
 

src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/pricing.mdx

@@ -0,0 +1,53 @@
+---
+pcx_content_type: concept
+title: Worker Isolation
+sidebar:
+  order: 1
+
+---
+
+### Untrusted Mode (Default)
+
+By default, Workers inside of a dispatch namespace are considered "untrusted." This provides the strongest isolation between Workers and is best in cases where your customers have control over the code that's being deployed.
+
+In untrusted mode:
+
+- The [`request.cf`](/workers/runtime-apis/request/#incomingrequestcfproperties) object is not available in Workers (see [limits](/cloudflare-for-platforms/workers-for-platforms/platform/limits/#cf-object) for more information)
+- Each Worker has an isolated cache, when using the [Cache API](/workers/runtime-apis/cache/) or when making subrequests using `fetch()`, which egress via [Cloudflare's cache](/cache/)
+- [`caches.default`](/workers/reference/how-the-cache-works/#cache-api) is disabled for all Workers in the namespace
+
+This mode ensures complete isolation between customer Workers, preventing any potential cross-tenant data access. 
+
+### Trusted Mode
+
+If you control the Worker code and want to disable isolation mode, you can configure the namespace as "trusted". This is useful when building internal platforms where your company controls all Worker code. 
+
+In trusted mode:
+
+- The [`request.cf`](/workers/runtime-apis/request/#incomingrequestcfproperties) object becomes available, providing access to request metadata
+- All Workers in the namespace share the same cache space when using the Cache API
+
+:::note
+In trusted mode, Workers can potentially access cached responses from other Workers in the namespace. Only enable this if you control all Worker code or have appropriate cache key isolation strategies.
+::: 
+
+To convert a namespace from untrusted to trusted:
+```bash
+curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/workers/dispatch/namespaces/{namespace_name}" \
+  -H "Authorization: Bearer {api_token}" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "{namespace_name}",
+    "trusted_workers": true
+  }'
+  ```
+
+If you enable trusted mode for a namespace that already has deployed Workers, you'll need to redeploy those Workers for the `request.cf` object to become available. Any new Workers you deploy after enabling trusted mode will automatically have access to it. 
+
+### Maintaining cache isolation in trusted mode
+If you need access to `request.cf` but want to maintain cache isolation between customers, use customer-specific [cache keys](/workers/examples/cache-using-fetch/#custom-cache-keys) or the [Cache API](/workers/examples/cache-api/) with isolated keys. 
+
+## Related Resources
+* [Platform Limits](/cloudflare-for-platforms/workers-for-platforms/platform/limits) - Understanding script and API limits
+* [Cache API Documentation](/workers/runtime-apis/cache/) - Learn about cache behavior in Workers
+* [Request cf object](/workers/runtime-apis/request/#the-cf-property-requestcf) - Details on the cf object properties