Clarify User.update :own in permission sets

Add explicit comments explaining why all permission sets
grant User.update with scope :own for password changes.

lib/mv/authorization/permission_sets.ex

@@ -95,7 +95,9 @@ defmodule Mv.Authorization.PermissionSets do
   def get_permissions(:own_data) do
     %{
       resources: [
-        # User: Can always read/update own credentials
+        # User: Can read/update own credentials only
+        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
+        # All permission sets grant User.update :own to allow password changes.
         %{resource: "User", action: :read, scope: :own, granted: true},
         %{resource: "User", action: :update, scope: :own, granted: true},
 
@@ -125,6 +127,8 @@ defmodule Mv.Authorization.PermissionSets do
     %{
       resources: [
         # User: Can read/update own credentials only
+        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
+        # All permission sets grant User.update :own to allow password changes.
         %{resource: "User", action: :read, scope: :own, granted: true},
         %{resource: "User", action: :update, scope: :own, granted: true},
 
@@ -157,6 +161,8 @@ defmodule Mv.Authorization.PermissionSets do
     %{
       resources: [
         # User: Can read/update own credentials only
+        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
+        # All permission sets grant User.update :own to allow password changes.
         %{resource: "User", action: :read, scope: :own, granted: true},
         %{resource: "User", action: :update, scope: :own, granted: true},