Thoughts after playing around with GitHub's `/security-review` command

I was setting up Copilot CLI on my work account last week and came across an experimental /security-review command. I didn't see any announcement for it, so I was curious how it worked and poked around a little. The short version of what it does: you finish your coding session, it reads the diff, and it produces a list of likely vulnerabilities. Useful on paper. The thing I couldn't tell from poking at it manually was how much the underlying model matters.