Clarify unsafe option scope without removing security warning

Author: confidentzzzs

cairosvg/surface.py

@@ -116,6 +116,10 @@ def convert(cls, bytestring=None, *, file_obj=None, url=None, dpi=96,
         :param unsafe: A boolean allowing external file access, XML entities
                        and very large files
                        (WARNING: vulnerable to XXE attacks and various DoS).
+                       This does NOT restrict fetching of the main SVG input specified via
+                       the ``url`` parameter.
+                       Applications should validate input URLs to prevent SSRF.
+
 
         Specifiy the output with: