content: refine dependency threats (#1046)

Refine the "dependency threats" of the Threats & Mitigations page to
better explain the intent and to differentiate from (H), which sounded
confusingly similar (#1039). More work is needed to refine (H), but that
is left to a separate PR.

-   Explain that "dependency threats" are not distinct threats but
    rather threats to other pieces of software that also affect this
    one. In the diagram, the diagram to color (D) differently to show
    this, mirroring the existing dashed lines, and add "(A-H
    recursively").
-   State that only "build dependencies" are in scope for the threat
    model, matching existing diagram and terminology throughout SLSA.
-   Rename "Use compromised dependency" to "Compromise build
    dependency", both for consistency with other threats, which are from
    the adversary's point of view, and to emphasize that this is
    restricted to build dependencies.
-   Expand the text about dependency threats and give examples.
    Highlight both "include" and "build tool" types of dependencies, and
    also include both an accidental vulnerability and a malicious
    backdoor.

Signed-off-by: Mark Lodato <[email protected]>