Document critical security limitations of agent firewall before Copilot Coding Agent GA (#57522)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: timrogers <116134+timrogers@users.noreply.github.com>
Co-authored-by: Tim Rogers <me@timrogers.co.uk>
Co-authored-by: Tim Rogers <timrogers@github.com>
Co-authored-by: Sophie <29382425+sophietheking@users.noreply.github.com>

Author: 3 people

content/copilot/how-tos/use-copilot-agents/coding-agent/customize-the-agent-firewall.md

@@ -31,6 +31,16 @@ If {% data variables.product.prodname_copilot_short %} tries to make a request w
 
 ![Screenshot of a warning from {% data variables.product.prodname_copilot_short %} about being blocked by the firewall.](/assets/images/help/copilot/coding-agent/firewall-warning.png)
 
+## Limitations
+
+The agent firewall has important limitations that affect its security coverage.
+
+* **Only applies to processes started by the agent**: The firewall only applies to processes started by the agent via its Bash tool. It does not apply to Model Context Protocol (MCP) servers or processes started in configured {% data variables.product.prodname_copilot_short %} setup steps.
+* **Only applies within the {% data variables.product.prodname_actions %} appliance**: The firewall only operates within the {% data variables.product.prodname_actions %} appliance environment. It does not apply to processes running outside of this environment.
+* **Bypass potential**: Sophisticated attacks may bypass the firewall, potentially allowing unauthorized network access and data exfiltration.
+
+These limitations mean that the firewall provides a layer of protection for common scenarios, but should not be considered a comprehensive security solution.
+
 ## Managing the recommended firewall allowlist
 
 The recommended allowlist, enabled by default, allows access to: