Mark 'include_federated_domains' option as unsafe or remove it #217
Description
The include_federated_domains options merges the trust bundle for the trust domain with the trust bundles from all federated trust domains. This is likely done to be able to comply with the use case of this tool, which is interacting with tools that take in a single CA bundle, but goes against the way SVIDs should be validated. They should only be validated against the trust bundle of the domain that signed them, based on the SPIFFE ID. Doing otherwise can lead to security issues where a trust domain could impersonate any SPIFFE ID from a different trust domain that federates with it.
I imagine this option was useful for someone, but it would be good to explicitly mark it as unsafe in the documentation and possibly through logging, since it really should not be used in production if you have federated trust domains.