docs(framework): add security motivation for ignoreUrlParams

Author: ilhan007

docs/2-advanced/01-configuration.md

@@ -310,9 +310,9 @@ Failing to do so will result in a warning in the console and the theme root will
 
 This configuration option controls whether URL parameters (e.g. `sap-ui-theme`, `sap-ui-language`, `sap-ui-animationMode`) are processed during framework initialization.
 
-By default, the framework reads `sap-*` and `sap-ui-*` URL parameters and uses them to override the configuration script settings. While useful during development and testing, this behavior can be a security concern in production environments since URL parameters are user-controlled input that can be manipulated through crafted links.
+By default, the framework reads `sap-*` and `sap-ui-*` URL parameters and uses them to override the configuration script settings. While useful during development and testing, this behavior can be a security concern in production environments since URL parameters are user-controlled input that can be manipulated through crafted links. For example, an attacker could construct a phishing URL like `?sap-ui-theme=custom@https://malicious.com/` to attempt loading theme assets from an external origin.
 
-When set to `true`, all URL parameter processing is skipped and only the configuration script and module imports are used.
+Setting `ignoreUrlParams` to `true` eliminates this attack surface entirely by skipping all URL parameter processing. Only the configuration script and module imports will be used to determine the framework configuration.
 
 Example:
 ```html