Replaced the unsafe `zipfile.extractall()` in
`_download_from_ngc_private` with MONAI's safe extraction utility.
Prevents path traversal via crafted zip member paths (CWE-22).

### Description

This changes _download_from_ngc_private() to use the same safe zip
extraction path as the other bundle download sources. The previous code
used ZipFile.extractall() directly, which could allow Zip Slip path
traversal if a malicious archive is downloaded. Now extraction validates
member paths and keeps writes within the target directory.

---------

Signed-off-by: Yue (Knox) Liu <[email protected]>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: YunLiu <[email protected]>

### Description

This adds the "what's new" page for the minor 1.5.2 release. This commit
should probably just be cherry-picked for the release. Branch rules will
have to be temporarily broken to allow the PR past blossom as well,
since no code is modified here this is safe and it's only the
documentation generation that should be checked.

### Types of changes
<!--- Put an `x` in all the boxes that apply, and remove the not
applicable items -->
- [x] Non-breaking change (fix or new feature that would not break
existing functionality).
- [ ] Breaking change (fix or new feature that would cause existing
functionality to change).
- [ ] New tests added to cover the changes.
- [ ] Integration tests passed locally by running `./runtests.sh -f -u
--net --coverage`.
- [ ] Quick tests passed locally by running `./runtests.sh --quick
--unittests --disttests`.
- [ ] In-line docstrings updated.
- [x] Documentation updated, tested `make html` command in the `docs/`
folder.

---------

Signed-off-by: Eric Kerfoot <[email protected]>
Co-authored-by: YunLiu <[email protected]>