[security] Prepare a Threat Model for both projects

[azych]

Keeping in mind one of the OLMv1's main guiding principle - "Security by default" (https://operator-framework.github.io/operator-controller/) the security posture of both catalogd and operator-controller projects should be analyzed and a threat model for each of them should be prepared. Those models should then be kept up to date and be included in PR checklist.

CNCF tag-security's Manual for Practicing Threat Modeling to Assess and Fortify Open Source Security might be a good resource in helping to do that, as well as other resources or discussions (eg. https://github.com/cncf/tag-security/issues/903) from that group - https://github.com/cncf/tag-security