fix(web-search): restrict private network guard

docs/tools/searxng-search.md

@@ -85,6 +85,9 @@ Transport rules:
 - `https://` works for public or private SearXNG hosts
 - `http://` is only accepted for trusted private-network or loopback hosts
 - public SearXNG hosts must use `https://`
+- private/internal hosts use the self-hosted network guard; public `https://`
+  hosts stay on the strict web-search guard and cannot redirect to private
+  addresses
 
 ## Environment variable
 
@@ -112,6 +115,9 @@ key wins first).
 - **No API key** -- works with any SearXNG instance out of the box
 - **Base URL validation** -- `baseUrl` must be a valid `http://` or `https://`
   URL; public hosts must use `https://`
+- **Network guard** -- private/internal SearXNG endpoints opt in to
+  private-network access; public `https://` SearXNG endpoints keep strict SSRF
+  protection
 - **Auto-detection order** -- SearXNG is checked last (order 200) in
   auto-detection. API-backed providers with configured keys run first, then
   DuckDuckGo (order 100), then Ollama Web Search (order 110)