docs: clarify layouts, auth boundaries, and streaming
Rewrite the "Layouts and auth checks" intro: partial rendering risks,
DAL + per-route enforcement, avoid child-wrapping verify+Suspense as
access control, defer dynamic reads for shell UI only per Streaming.
Made-with: Cursor
