Document threats where a Solid-OIDC issuer performs illegal activities

[csarven]

The idea that a service could perform illegal activities was original raised in:

solid/webid-profile#118 (comment)

[elf-pavlik]

Could you please add a specific use case?

OIDC Issuer, as the Identity Provider, has the highest user trust since it can authenticate anything as the user, in contrast to apps with the lowest trust and can only do precisely what the user explicitly authorized them to do.