docs(world): add comments for prohibitDirectCallback modifier

docs/pages/world/reference/world.mdx

@@ -44,7 +44,10 @@ constructor();
 
 #### prohibitDirectCallback
 
-_Prevents the World contract from calling itself._
+_Prevents the World contract from calling itself.
+If the World is able to call itself via `delegatecall` from a system, the system would have root access to context like internal tables, causing a potential vulnerability.
+Ideally this should not happen because all operations to internal tables happen as internal library calls, and all calls to root systems happen as a `delegatecall` to the system.
+However, since this is an important invariant, we make it explicit by reverting if `msg.sender` is `address(this)` in all `World` methods._
 
 ```solidity
 modifier prohibitDirectCallback();

packages/world/src/World.sol

@@ -51,6 +51,9 @@ contract World is StoreData, IWorldKernel {
 
   /**
    * @dev Prevents the World contract from calling itself.
+   * If the World is able to call itself via delegatecall from a system, the system would have root access to context like internal tables, causing a potential vulnerability.
+   * Ideally this should not happen because all operations to internal tables happen as internal library calls, and all calls to root systems happen as a `delegatecall` to the system.
+   * However, since this is an important invariant, we make it explicit by reverting if `msg.sender` is `address(this)` in all `World` methods.
    */
   modifier prohibitDirectCallback() {
     if (msg.sender == address(this)) {