Documentation: Add warning about "private" changes on Gerrit

Private changes on Gerrit are a tricky beast in that they're well hidden
in the UI and a few other places but still reachable under certain
circumstances.

Change-Id: I1c8c6cccfd023bc1d839dc5d9544204c88f89c7e
Signed-off-by: Patrick Georgi <pgeorgi@google.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/59229
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by:  Felix Singer <felixsinger@posteo.net>

Documentation/getting_started/gerrit_guidelines.md

@@ -193,8 +193,10 @@ the wip flag:
 * When pushing patches that are not for submission, these should be marked
 as such. This can be done in the title ‘[DONOTSUBMIT]’, or can be pushed as
 private changes, so that only explicitly added reviewers will see them. These
-sorts of patches are frequently posted as ideas or RFCs for the community
-to look at. To push a private change, use the command:
+sorts of patches are frequently posted as ideas or RFCs for the community to
+look at. Note that private changes can still be fetched from Gerrit by anybody
+who knows their commit ID, so don't use this for sensitive changes. To push
+a private change, use the command:
         git push origin HEAD:refs/for/master%private
 
 * Multiple push options can be combined:

Documentation/tutorial/part2.md

@@ -173,7 +173,9 @@ When you are done with your commit, run `git push` to push your commit to
 coreboot.org. **Note:** To submit as a private patch, use
 `git push origin HEAD:refs/for/master%private`. Submitting as a private patch
 means that your commit will be on review.coreboot.org, but is only visible to
-yourself and those you add as reviewers.
+yourself and those you add as reviewers. This mode isn't perfect: Somebody who
+knows the commit ID can still fetch the change and everything it refers (e.g.
+parent commits).
 
 This has been a quick primer on how to submit a change to Gerrit for review
 using git. You may wish to review the [Gerrit code review workflow