Add guidance on confidential issues in TPA-RFC-2

Currently, TPA-RFC-2 (support) mentions the possibility of creating confidential tickets, but there's no guidance available about when it's appropriate (or not) to create such tickets.

This came up recently after I marked #40353 confidential, eg. should we mark LDAP group access requests as such? Obviously we shouldn't aim to cover all possible use-cases for confidential issues but a little bit of guidance would go a long way.