DOCS: Add FileShortcodeProvider change to changelog

docs/en/04_Changelogs/4.3.5.md

@@ -0,0 +1,22 @@
+# 4.3.5
+
+Embedding files with shortcodes (`FileShortcodeProvider`) no longer provides a session grant
+by default. This is because it has the potential to escalate file access
+to users who otherwise should not have viewing permissions for the file.
+
+There is a minor performance trade-off for disabling these grants. If you have a page with a lot of
+images that are in a draft state or have custom viewing permissions, it adds an extra database
+query for each embedded image. With session grants enabled, the first permission check persists
+the grant into the session, meaning there is no need to query the database on every single file.
+
+Unless you have a lot of shortcode images embedded with protected or draft status on a single page,
+this setting is best left to its default value of `false`.
+
+To revert to the old behaviour:
+
+```
+SilverStripe\Assets\Shortcodes\FileShortcodeProvider:
+  allow_session_grant: true
+```
+
+<!--- Changes below this line will be automatically regenerated -->