Document @EnableWebSecurity behavior when management security disabled

Closes gh-9270

spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

@@ -2473,9 +2473,15 @@ the classes imported from there (`SpringBootWebSecurityConfiguration` for web se
 and `AuthenticationManagerConfiguration` for authentication configuration which is also
 relevant in non-web applications). To switch off the default web application security
 configuration completely you can add a bean with `@EnableWebSecurity` (this does not
-disable the authentication manager configuration or Actuator's security). To customize
-it you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
-(e.g. to add form-based login). To also switch off the authentication manager configuration
+disable the authentication manager configuration or Actuator's security).
+To customize it you normally use external properties and beans of type `WebSecurityConfigurerAdapter`
+(e.g. to add form-based login).
+
+NOTE: If you add `@EnableWebSecurity` and also disable Actuator security, you will get
+the default form-based login for the entire application unless you add a custom
+`WebSecurityConfigurerAdapter`.
+
+To also switch off the authentication manager configuration
 you can add a bean of type `AuthenticationManager`, or else configure the
 global `AuthenticationManager` by autowiring an `AuthenticationManagerBuilder` into
 a method in one of your `@Configuration` classes. There are several secure applications in