Added a warning to the urljoin docs, indicating that it is not safe to use with attacker controlled URLs (GH-126659)

This was flagged to me at a party today by someone who works in red-teaming as a frequently encountered footgun. Documenting the potentially unexpected behavior seemed like a good place to start.