Call out the need for merchants to validate payment responses

[rsolomakhin]

Feedback on Payment Handler TAG review from @dbaron:

Given that the merchant can't trust any security checking that the browser does anyway (even if the browser does end up verifying something based on the payment method manifest connected to the identifier), this seems like it has to be the answer. Perhaps that should be called out a little more clearly in the section on security considerations?

Pull requests welcome.

[stpeter]

The security considerations in general need attention. I'll endeavor to generate a pull request before the face-to-face.

[rsolomakhin]

Feel free to reuse any parts of my pull request #283.

[stpeter]

Ah, I'm planning to work on Payment Request first - I got confused about which repo this issue is in!