Merge pull request #18895 from geoffw0/docimplicit

Data flow: Improve doc for defaultImplicitTaintRead.

Author: geoffw0

shared/dataflow/codeql/dataflow/TaintTracking.qll

@@ -26,7 +26,11 @@ signature module InputSig<LocationSig Location, DF::InputSig<Location> Lang> {
 
   /**
    * Holds if taint flow configurations should allow implicit reads of `c` at sinks
-   * and inputs to additional taint steps.
+   * and inputs to additional taint steps defined in the flow `Config`.
+   *
+   * Note that this (deliberately) does not include at additional taint steps defined
+   * globally in `defaultAdditionalTaintStep`. These models are expected to be precise
+   * and therefore to not require implicit reads.
    */
   bindingset[node]
   predicate defaultImplicitTaintRead(Lang::Node node, Lang::ContentSet c);