Continuation of #619 -- Add some text to make the readers aware of the caveats.

The current scope is:

This specification is a general purpose high security profile of OAuth 2.0 that has been proved by formal analysis to meet the stated attacker model. This document specifies the requirements for:

* Confidential Clients to securely obtain OAuth tokens from Authorization Servers;

* Confidential Clients to securely use those tokens to access protected resources at Resource Servers;

* Authorization Servers to securely issue OAuth tokens to confidential Clients;

* Resource Servers to securely accept and verify OAuth tokens from confidential Clients.

Proposes to add the following text at the end of it:

This document is applicable to the case where an end user is logged in at a client using OpenID Connect based on ID Token, and in the case an end user is not logged in at a client in which case the client identifies the user (agent) by a cookie (that cookie is not bound to an identity, only to an authorization grant flow).

It is related to #619.