docs(security): clarify gateway-node trust boundary in docs

docs/gateway/security/index.md

@@ -79,6 +79,18 @@ This is acceptable when everyone using that agent is in the same trust boundary
 
 If you mix personal and company identities on the same runtime, you collapse the separation and increase personal-data exposure risk.
 
+## Gateway and node trust concept
+
+Treat Gateway and node as one operator trust domain, with different roles:
+
+- **Gateway** is the control plane and policy surface (`gateway.auth`, tool policy, routing).
+- **Node** is remote execution surface paired to that Gateway (commands, device actions, host-local capabilities).
+- A caller authenticated to the Gateway is trusted at Gateway scope. After pairing, node actions are trusted operator actions on that node.
+- `sessionKey` is routing/context selection, not per-user auth.
+- Exec approvals (allowlist + ask) are guardrails for operator intent, not hostile multi-tenant isolation.
+
+If you need hostile-user isolation, split trust boundaries by OS user/host and run separate gateways.
+
 ## Trust boundary matrix
 
 Use this as the quick model when triaging risk: