Do not set trusted-content in major modes

* lisp/progmodes/elisp-mode.el (lisp-interaction-mode):
* lisp/ielm.el (inferior-emacs-lisp-mode): Do not set `trusted-content.
* lisp/ielm.el (ielm):
* lisp/simple.el (get-scratch-buffer-create): Set `trusted-content` here
instead.
* lisp/files.el (trusted-content): Doc fix; warn against setting this
option to :all in a major or mode mode.
Problem reported by Max Nikulin <manikulin@gmail.com>.

etc/NEWS

@@ -193,6 +193,9 @@ For example, Flymake's backend for Emacs Lisp consults this option
 and disables itself with an "untrusted content" warning if the file
 is not listed.
 
+Emacs Lisp authors should note that a major or minor mode must never set
+this variable to the ':all' value.
+
 This option is used to fix CVE-2024-53920.  See below for details.
 
 ** Emacs now supports Unicode Standard version 15.1.

lisp/files.el

@@ -724,11 +724,12 @@ enabled (for example, when it is added to a mode hook).
 Each element of the list should be a string:
 - If it ends in \"/\", it is considered as a directory name and means that
   Emacs should trust all the files whose name has this directory as a prefix.
-- else it is considered as a file name.
+- Otherwise, it is considered a file name.
 Use abbreviated file names.  For example, an entry \"~/mycode/\" means
 that Emacs will trust all the files in your directory \"mycode\".
 This variable can also be set to `:all', in which case Emacs will trust
-all files, which opens a gaping security hole."
+all files, which opens a gaping security hole.  Emacs Lisp authors
+should note that this value must never be set by a major or minor mode."
   :type '(choice (repeat :tag "List" file)
                  (const :tag "Trust everything (DANGEROUS!)" :all))
   :version "30.1")

lisp/ielm.el

@@ -580,7 +580,6 @@ Customized bindings may be defined in `ielm-map', which currently contains:
        ielm-fontify-input-enable
        (comint-fontify-input-mode))
 
-  (setq-local trusted-content :all)
   (setq comint-prompt-regexp (concat "^" (regexp-quote ielm-prompt)))
   (setq-local paragraph-separate "\\'")
   (setq-local paragraph-start comint-prompt-regexp)
@@ -684,7 +683,8 @@ See `inferior-emacs-lisp-mode' for details."
     (unless (comint-check-proc buf-name)
       (with-current-buffer (get-buffer-create buf-name)
         (unless (zerop (buffer-size)) (setq old-point (point)))
-        (inferior-emacs-lisp-mode)))
+        (inferior-emacs-lisp-mode)
+        (setq-local trusted-content :all)))
     (pop-to-buffer-same-window buf-name)
     (when old-point (push-mark old-point))))
 

lisp/progmodes/elisp-mode.el

@@ -1337,8 +1337,7 @@ Semicolons start comments.
 
 \\{lisp-interaction-mode-map}"
   :abbrev-table nil
-  (setq-local lexical-binding t)
+  (setq-local lexical-binding t))
-  (setq-local trusted-content :all))
 
 ;;; Emacs Lisp Byte-Code mode
 

lisp/simple.el

@@ -11154,7 +11154,9 @@ too short to have a dst element.
           (when initial-scratch-message
             (insert (substitute-command-keys initial-scratch-message))
             (set-buffer-modified-p nil))
-          (funcall initial-major-mode))
+          (funcall initial-major-mode)
+          (when (eq initial-major-mode 'lisp-interaction-mode)
+            (setq-local trusted-content :all)))
         scratch)))
 
 (defun scratch-buffer ()