docs: Clarify that encryption should not be in reconciler pipeline

UpgradeImpact
=============
Operators should verify that encryption is not enabled in their
reconciler pipelines; having it enabled there may harm data durability.
For more information, see https://launchpad.net/bugs/1910804

Change-Id: I1a1d78ed91d940ef0b4eba186dcafd714b4fb808
Closes-Bug: #1910804

doc/source/overview_encryption.rst

@@ -781,8 +781,9 @@ encrypted.
 
 Encryption has no impact on the `container-reconciler` service. The
 `container-reconciler` uses an internal client to move objects between
-different policy rings. The destination object has the same URL as the source
+different policy rings. The reconciler's pipeline *MUST NOT* have encryption
-object and the object is moved without re-encryption.
+enabled. The destination object has the same URL as the source object and the
+object is moved without re-encryption.
 
 
 Considerations for developers

etc/container-reconciler.conf-sample

@@ -58,6 +58,12 @@
 # ionice_priority =
 
 [pipeline:main]
+# Note that the reconciler's pipeline is intentionally very sparse -- it is
+# only responsible for moving data from one policy to another and should not
+# perform any transformations beyond (potentially) changing erasure coding.
+# It notably MUST NOT include transformative middlewares (such as encryption),
+# redirection middlewares (such as symlink), or composing middlewares (such
+# as slo and dlo).
 pipeline = catch_errors proxy-logging cache proxy-server
 
 [app:proxy-server]