Clarify how match patterns work with local origins

[dotproto]

Is your feature request related to a problem? Please describe.
An extension developer recently shared feedback that they were surprised to find that adding a match pattern for https://*/* didn't grant their extension access to secure origins, specifically localhost and other such local origins.

Similarly, we have had a couple of recent WECG issues (#303, #304) related to upgrading http: requests to https: through the introduction of the upgrade-insecure-requests CSP directive.

Describe the solution you'd like
The match patterns page should be updated to clarify that the we view match patterns as intentionally scoped to a specific set of requested capabilities. We do not automatically grant access to additional schemes or origins beyond what an extension explicitly requests.

We may also want to add a new section to describe how extension authors should request permission for local origins. In short, the extension developer will need to add match patterns for each way a local origin can be requested:

• http://localhost:*/*
• http://127.0.0.1:*/*
• http://[::1]:*/*

These patterns should be tested before adding them to documentation.

Describe alternatives you've considered
A description of host permissions grants could be added to another page, such as /docs/extensions/mv3/host-permissions (does not exist). Since we don't have a page on host permissions in general, this will have to do for now.

Additional context
Extensions match patterns are implemented here: https://source.chromium.org/chromium/chromium/src/+/main:extensions/common/url_pattern.h