docs: Update language around immutable programs (#21116)

docs/src/developing/programming-model/accounts.md

@@ -47,9 +47,11 @@ instruction's [program id](transactions.md#program-id). Accounts are marked as
 executable during a successful program deployment process by the loader that
 owns the account. When a program is deployed to the execution engine (BPF deployment),
 the loader determines that the bytecode in the account's data is valid.
-If so, the loader
-permanently marks the program account as executable. Once executable, the
-runtime enforces that the account's data (the program) is immutable.
+If so, the loader permanently marks the program account as executable.
+
+If a program is marked as final (non-upgradeable), the runtime enforces that the
+account's data (the program) is immutable. Through the upgradeable loader, it is
+possible to upload a totally new program to an existing program address.
 
 ## Creating
 

docs/src/developing/programming-model/calling-between-programs.md

@@ -84,8 +84,10 @@ signers and writable accounts. For example, if the instruction the caller is
 processing contains a signer or writable account, then the caller can invoke an
 instruction that also contains that signer and/or writable account.
 
-This privilege extension relies on the fact that programs are immutable. In the
-case of the `acme` program, the runtime can safely treat the transaction's
+This privilege extension relies on the fact that programs are immutable, except
+during the special case of program upgrades.
+
+In the case of the `acme` program, the runtime can safely treat the transaction's
 signature as a signature of a `token` instruction. When the runtime sees the
 `token` instruction references `alice_pubkey`, it looks up the key in the `acme`
 instruction to see if that key corresponds to a signed account. In this case, it