fix: clarify differences in res.jsonp() behavior and security measures

[spiderocious]

Problem

The res.jsonp API reference says the method is "identical to res.json(), except that it opts-in to JSONP callback support". As discussed in #1330, that's understating things: when the callback query parameter is present, res.jsonp also forces the Content-Type to text/javascript (and per @dougwilson's confirmation, this can't be overridden because no other content type will execute as JSONP in a browser), adds X-Content-Type-Options: nosniff, and prefixes the body with /**/ as a security mitigation against the Rosetta Flash JSONP attack.

Fix

Replace the misleading "identical" line with a short bulleted description of the actual differences, in both the 4x and 5x API references. The existing examples and "jsonp callback name" override section are unchanged.

closes #1330

[netlify]

✅ Deploy Preview for expressjscom-preview ready!

Name	Link
🔨 Latest commit	27c2e97
🔍 Latest deploy log	https://app.netlify.com/projects/expressjscom-preview/deploys/6a1edb974b9b3b00083624a2
😎 Deploy Preview	https://deploy-preview-2366--expressjscom-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 99 (🟢 up 2 from production) Accessibility: 100 (no change from production) Best Practices: 100 (no change from production) SEO: 100 (no change from production) PWA: 80 (no change from production) View the detailed breakdown and full score reports
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.