Mention SameSite cookies in accounts fetch

spec/index.bs

@@ -330,13 +330,11 @@ const credential = await navigator.credentials.get({
 ```
 </div>
 
-For fetches that are sent with cookies, unpartitioned cookies are included,
-as if the resource was loaded as a same-origin request, e.g.
-regardless of the
-[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)
-value (which is used when a resource loaded as a third-party, not first-party). This makes it easy
-for an [=IDP=] to adopt the FedCM API. It doesn't introduce security issues on the API because the
-[=RP=] cannot inspect the results from the fetches in any way.
+When fetches are sent with cookies, unpartitioned
+[SameSite](https://httpwg.org/http-extensions/draft-ietf-httpbis-rfc6265bis.html#name-the-samesite-attribute-2)=None
+cookies are included. It doesn't introduce security issues on the API even when third-party cookies are otherwise
+disabled because the [=RP=] cannot inspect the results from the fetches on its own (i.e., the browser mediates what
+the [=RP=] can receive).
 
 <!-- ============================================================ -->
 ## The connected accounts set ## {#browser-connected-accounts-set}
@@ -1111,6 +1109,9 @@ returns an {{IdentityProviderAccountList}}.
         with [=request/mode=] set to "user-agent-no-cors". See the relevant
         [pull request](https://github.com/whatwg/fetch/pull/1533) for details.
 
+        Note: This fetch should only send Same-Site=None cookies. Specifying this will require
+        [cookie layering](https://github.com/httpwg/http-extensions/issues/2084).
+
     1. Let |accountsList| be null.
     1. [=Fetch request=] with |request| and |globalObject|, and with <var ignore>processResponseConsumeBody</var>
         set to the following steps given a <a spec=fetch for=/>response</a> |response| and |responseBody|: