Spring Security Consider how the current Authentication is merged with additional Authentication instances

CAUTION This is a ticket that needs to be considered by the Spring Security team and thus is not currently a candidate for a pull request.

Currently the behavior for merging Authentication is to add the authorities of the existing Authentication to the new Authentication. We should carefully consider if this should be inverted. Upon deciding, we should document the way in which it is performed and the reasoning for that.

NOTE: If gh-17987 is implemented, users could invert the behavior by returning a custom Authentication.toBuilder() implementation.