Harden our macOS builds
We ship our .dmg files properly notarized since Tor Browser 9 (see: #30126 (moved)). The Hardened Runtime allows us, however, to tighten down our application further in general, and with respect to what Mozilla is using in particular (we are currently using their production entitlements file).
This is the parent ticket for different issues that have piled up since #30126 (moved) got resolved.