Explicitly note recommendations for local-scheme frames.

Closes w3c#2.

Author: mikewest

index.bs

@@ -581,6 +581,19 @@ whose projects require risky settings.
 This document recommends setting those less-secure header values explicitly, as that makes it more
 likely that we'll be able to shift the web's defaults in the future.
 
+Isolating Local-Scheme Frames {#local-scheme-frames}
+----------------------------------------------------
+
+Note that frames loaded from local schemes will generally inherit policies applied to the document
+which created them, and may end up in-process with that document if the stars align unfortunately.
+Developers are encouraged to explicitly shift these documents to opaque origins, either by using
+`data:` URLs directly, or by applying a <{iframe/sandbox}> attribute to frames created using
+`<iframe srcdoc="...">`. `blob:` URLs, and so on.
+
+Likewise, user agents are encouraged to take <{iframe/sandbox}> attributes into account when
+allocating processes for framed documents, and to align the process boundary with the origin
+boundary whenever possible.
+
 
 Acknowledgements {#acks}
 ========================