[BUG]: Remediation docs are misleading for `dangerous-triggers`

[woodruffw]

From https://docs.zizmor.sh/audits/#remediation_4:

If you have to use a dangerous trigger, consider adding a github.repository == ... check to only run for your repository but not in forks of your repository (in case the user has enabled Actions there). This avoids exposing forks to danger in case you fix a vulnerability in the workflow but the fork still contains an old vulnerable version.

This is only applicable for pull_request_target, not workflow_run -- for workflow_run the github.repository is always the "upstream" one, since workflow runs always trigger on the HEAD of the default branch.

The docs should include an appropriate warning to that effect, and should maybe link to this post from GHSL.

xref python/typing_extensions#623 (comment)