Minor: Add a brief comment to the RPC role setup code that explains the security justification for it.

node/src/main/kotlin/net/corda/node/services/messaging/ArtemisMessagingServer.kt

@@ -235,8 +235,10 @@ class ArtemisMessagingServer(private val config: NodeConfiguration,
         securityRoles["$INTERNAL_PREFIX#"] = setOf(nodeInternalRole)  // Do not add any other roles here as it's only for the node
         securityRoles[P2P_QUEUE] = setOf(nodeInternalRole, restrictedRole(PEER_ROLE, send = true))
         securityRoles[RPCApi.RPC_SERVER_QUEUE_NAME] = setOf(nodeInternalRole, restrictedRole(RPC_ROLE, send = true))
-        // TODO remove the NODE_USER role once the webserver doesn't need it
+        // TODO: remove the NODE_USER role below once the webserver doesn't need it anymore.
         securityRoles["${RPCApi.RPC_CLIENT_QUEUE_NAME_PREFIX}.$NODE_USER.#"] = setOf(nodeInternalRole)
+        // Each RPC user must have its own role and its own queue. This prevents users accessing each other's queues
+        // and stealing RPC responses.
         for ((username) in userService.users) {
             securityRoles["${RPCApi.RPC_CLIENT_QUEUE_NAME_PREFIX}.$username.#"] = setOf(
                     nodeInternalRole,