Added clarification about malicious attackers.

[acdha]

I'm not entirely in love with how that prose scans. What do you think of expanding it a little like this?

@@ -141,7 +142,9 @@ Internet-Draft                    BagIt                        June 2018
    1.  Strong integrity assurances.  The format supports cryptographic-
        quality hash algorithms (see Section 2.4) and allows for in-place
        upgrades to add additional manifests using stronger algorithms
-       without breaking backwards compatibility.
+       without breaking backwards compatibility.  This provides high
+       levels of confidence against data corruption but is not designed
+       to be secure against active attacks.

    2.  Direct file access.  Because BagIt specifies an actual filesystem
        hierarchy rather than a serialized representation of one, files
@@ -842,6 +842,15 @@ Kunze, et al.           Expires December 6, 2018               [Page 15]
 Internet-Draft                    BagIt                        June 2018

+5.4.  Attacks on payload file content
+
+   The integrity assurance provided by manifests is designed to provide
+   high levels of confidence against data corruption but is not designed
+   to be secure against active attacks.  Organizations which need to
+   secure bags against such threats will need to agree upon additional
+   tag files for extra measures such as digital signatures which are out
+   of scope for this specification.

[justinlittman]

@acdha check out the new wording.

[acdha]

Looks good to me