Draft: Restrict filesystem access to the download process whenever possible

Hi!

This is a follow-up to the sandboxing work, restricting filesystem access to the downloader process when sandboxing is enabled and LandLock support is available. Right now what it does is make the whole filesystem read-only temporary download directory. It would be possible, and likely desirable, to restrict what the process can read even more, but I wanted to discuss whether there was interest for such a feature as well as the general approach before spending too much time ironing the details out. I have placed the new code in a sandbox_fs.c file, with the idea of adding a sandbox_syscalls.c later to restrict allowed syscalls via seccomp, but another possibility would be to have a sandbox_linux.c file where all Linux-specific features are located.