gh-94632: document the subprocess need for extra_groups=() with user= (GH-148129)

(cherry picked from commit a1cf443)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>

Author: gpshead

Doc/library/subprocess.rst

@@ -630,6 +630,12 @@ functions.
    the value in ``pw_uid`` will be used. If the value is an integer, it will
    be passed verbatim. (POSIX only)
 
+   .. note::
+
+      Specifying *user* will not drop existing supplementary group memberships!
+      The caller must also pass ``extra_groups=()`` to reduce the group membership
+      of the child process for security purposes.
+
    .. availability:: POSIX
    .. versionadded:: 3.9