Why:

Dependabot intentionally has no built-in automerge feature (dependabot/dependabot-core#1973 (comment)), and in the past permissions for Dependabot workflows were changed to read-only by default (changelog entry).

If I understand it correctly, the concern is that a Dependabot workflow with write permissions could be exploited by a compromised dependency to immediately compromise the consuming repository as soon as the Dependabot PR is created, without any interaction of the owner.

Therefore adding a custom automerge workflow for Dependabot or giving its workflows write permissions can be a security risk, and is probably worth pointing out in the documentation.

Slightly related to #37657, but does not resolve it

What's being changed (if available, include any code snippets, screenshots, or gifs):

Add warnings to the documentation to inform users about the risk of giving Dependabot workflows more permissions.

I hope these warnings do not seem like fear mongering (any feedback regarding wording is welcome!). Maybe some users who set up auto merging of Dependabot PRs might not consider this a big issue (or an issue at all).

Check off the following:

• A subject matter expert (SME) has reviewed the technical accuracy of the content in this PR. In most cases, the author can be the SME. Open source contributions may require an SME review from GitHub staff.
• The changes in this PR meet the docs fundamentals that are required for all content.
• All CI checks are passing and the changes look good in the review environment.