Description of problem: When attempting to create a pod in the `default` namespace, the request was rejected because the pod did not meet PSA namespace requirements:
```
error creating new pod: oo-g4t6w-: pods "oo-g4t6w-xlt6m" is forbidden: violates PodSecurity "restricted:latest": runAsNonRoot != true (pod or container "registry-server" must set securityContext.runAsNonRoot=true)
```

This same pod could run in the `foo` namespace I created. The pod failed to meet the PSA Namespace requirements in the `default` namespace because:
1) the securityContext wasn't fully specified/sufficiently specified to meet the PSA requirements.
2) the default namespace doesn't run SCC admission, which would normally(when the pod otherwise qualifies into an appropriate SCC such as restricted-v2) populate/set the additional securityContext fields in such a way that the pod would meet the PSA requirements.

I spoke with Standa Laznicka who provided this (possibly incomplete) list of namespaces where workloads should not be ran:

• kube-public
• kube-system
• openshift
• openshift-config
• openshift-config-managed
• default

Currently, there is no customer facing documentation that users may reference to know which namespaces workloads should not be ran in. It would be great to highlight this information to avoid confusion in the future.

Version-Release number of selected component (if applicable): 4.12.0

How reproducible: Always

Steps to Reproduce:
1. Attempt to create a pod in the default namespace