Add a security disclaimer about Actions VMs (github#31797)

Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>

content/actions/security-guides/security-hardening-for-github-actions.md

@@ -215,6 +215,12 @@ For more information on how to configure this setting, see {% ifversion allow-ac
 
 These sections consider some of the steps an attacker can take if they're able to run malicious commands on a {% data variables.product.prodname_actions %} runner.
 
+{% note %}
+
+**Note:** {% data variables.product.prodname_dotcom %}-hosted runners do not scan for malicious code downloaded by a user during their job, such as a compromised third party library.
+
+{% endnote %}
+
 ### Accessing secrets
 
 Workflows triggered using the `pull_request` event have read-only permissions and have no access to secrets. However, these permissions differ for various event triggers such as `issue_comment`, `issues` and `push`, where the attacker could attempt to steal repository secrets or use the write permission of the job's [`GITHUB_TOKEN`](/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token).