Document that xds uses grpc-netty-shaded

For clarity, also extract grpc-netty-shaded to a separate paragraph.

Closes: #7869.

Author: lepistone

SECURITY.md

@@ -55,10 +55,7 @@ Security.insertProviderAt(Conscrypt.newProvider(), 1);
 JDK versions prior to Java 9 do not support ALPN and are either missing AES GCM
 support or have 2% the performance of OpenSSL.
 
-We recommend most users use grpc-netty-shaded, which includes netty-tcnative on
-BoringSSL. It includes pre-built libraries for 64 bit Windows, OS X, and 64 bit
-Linux. For 32 bit Windows, Conscrypt is an option. For all other platforms, Java
-9+ is required.
+We recommend most users use [grpc-netty-shaded](#tls-with-grpc-netty-shaded).
 
 For users of grpc-netty we recommend [netty-tcnative with
 BoringSSL](#tls-with-netty-tcnative-on-boringssl), although using the built-in
@@ -72,6 +69,17 @@ wrapper around OpenSSL/BoringSSL/LibreSSL.
 We recommend BoringSSL for its simplicitly and low occurrence of security
 vulnerabilities relative to OpenSSL. BoringSSL is used by Conscrypt as well.
 
+### TLS with grpc-netty-shaded
+
+Grpc-netty-shaded includes netty-tcnative on
+BoringSSL. It includes pre-built libraries for 64 bit Windows, OS X, and 64 bit
+Linux. For 32 bit Windows, Conscrypt is an option. For all other platforms, Java
+9+ is required.
+
+For users of xDS management protocol, the grpc-netty-shaded transport is
+particularly appropriate since it is already used internally for the xDS
+protocol and is a runtime dependency of grpc-xds.
+
 ### TLS with netty-tcnative on BoringSSL
 
 Netty-tcnative with BoringSSL includes BoringSSL statically linked in the