docs(admin): warn that disabling bruteforcesettings app does not stop BFP

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: skjnldsv <skjnldsv@protonmail.com>

Author: skjnldsv

admin_manual/configuration_server/bruteforce_configuration.rst

@@ -172,6 +172,12 @@ Nextcloud's built-in brute force protection and fail2ban are complementary tools
 operate at different layers of the stack. Using both together is recommended for
 production servers.
 
+.. warning::
+
+   Disabling the ``bruteforcesettings`` app does **not** disable brute force protection.
+   The protection is built into Nextcloud Server core and is always active. The app only
+   provides the admin UI and the IP exclusion settings.
+
 **Nextcloud brute force protection** is built into Nextcloud Server itself (the
 ``bruteforcesettings`` app provides the admin UI and exclusion settings, but the
 protection runs regardless). It works at the **application layer**: it detects