joserfc: RFC7797 b64=false JWS payloads bypass payload-size limits

RFC7797 b64=false JWS payloads bypass JWSRegistry payload-size limits during deserialization. The normal JWS paths reject oversized payloads with ExceededSizeError, but the RFC7797 unencoded payload paths do not perform the same check, allowing payloads larger than max_payload_length to be accepted.

Applications using joserfc that accept lower-trust JWS values and rely on joserfc to reject oversized token content during verification.

Apply workarounds: reject oversized serialized JWS inputs before passing to joserfc, disable or disallow RFC7797 b64=false tokens if not needed, and enforce strict request/header/body size limits at the application or reverse-proxy layer.