Plain meaning
Start with the shortest useful explanation before going deeper.
The requirement that, when deriving a Program Derived Address (PDA), a program always use the canonical bump — the highest bump value (starting from 255 and decrementing) for which find_program_address returns a valid off-curve point — rather than accepting an arbitrary bump supplied by the caller. If a program stores and re-uses a non-canonical bump, an attacker can create a different PDA (with a different canonical bump) that happens to match a seed set the program trusts, or can derive valid PDAs outside the expected namespace. Anchor's seeds and bump constraints enforce canonicalization by calling find_program_address internally and asserting the provided bump matches; storing the canonical bump in the account at init time (instead of rediscovering it) is the recommended gas-efficient pattern.