How/where should I add some docs regarding this?

I've seen this be done incorrectly a few times and would like to contribute a doc about it.

Third party example write ups
Why list is a scary permission on k8s
Kubernetes security recommendations for developers

I think a great spot for how LIST and WATCH permissions work and associated attack scenarios would be here - https://github.com/OWASP/www-project-kubernetes-top-ten/blob/main/2022/en/src/K03-overly-permissive-rbac.md

You can add a new "Attack Scenario" then we can review collectively. This section definitely needs some more detail!