Merge pull request w3c#1765 from w3c/issue-1763-uv-pii

Clarify why PII is not allowed in user handle

index.bs

@@ -7615,7 +7615,9 @@ only to the operating system user that created that [=platform credential=].
 
 ### User Handle Contents ### {#sctn-user-handle-privacy}
 
-Since the [=user handle=] is not considered [PII] in [[#sctn-pii-privacy]], the [=[RP]=] MUST NOT include [PII], e.g., e-mail
+Since the [=user handle=] is not considered [PII] in [[#sctn-pii-privacy]],
+and since [=authenticators=] MAY reveal [=user handles=] without first performing [=user verification=],
+the [=[RP]=] MUST NOT include [PII], e.g., e-mail
 addresses or usernames, in the [=user handle=]. This includes hash values of [PII], unless the hash
 function is [=salted=] with [=salt=] values private to the [=[RP]=], since hashing does not prevent probing for guessable input
 values. It is RECOMMENDED to let the [=user handle=] be 64 random bytes, and store this value in the [=user account=].