fix(core): correct misleading jinja2 sandboxing comment (#35183)

## Summary
- The inline comment at `langchain_core/prompts/string.py:67-69`
incorrectly states that `SandboxedEnvironment` "blocks ALL
attribute/method access" and that "only simple variable lookups like
`{{variable}}` are allowed."
- In reality, Jinja2's `SandboxedEnvironment` only blocks access to
dunder attributes (`__class__`, `__globals__`, etc.) to prevent sandbox
escapes. Regular attribute access like `{{obj.content}}` and method
calls remain allowed.
- This misleading comment was left behind when a
`_RestrictedSandboxedEnvironment` class was reverted in commit
395c8d0bd4. Updated to accurately describe the actual behavior.

## Why this matters
The comment could mislead developers into trusting partially-untrusted
templates, believing attribute access is blocked when it is not. The
function's docstring already correctly warns against untrusted
templates.

## Test plan
- [ ] No behavioral change — comment-only fix
- [ ] Verified `SandboxedEnvironment` behavior matches updated comment

> This PR was authored with the help of AI tools.