Implement something like "SafeLogging" for Arti

Tor has a "safelogging" feature that causes it to not log any sensitive material at Notice or higher. We should implement something similar for Arti.

To clarify, when the SafeLogging option is enabled, then instead of logging stuff like Error while connecting to 10.2.3.5:9001, Tor will log messages like Error while connecting to [scrubbed]. In Tor, it works by having a safe_str(s) function that returns either its input, or the string "[scrubbed]", depending on whether a global option is set.

That's a bit harder to do in Rust, where we'd rather avoid global variables, and where we can log lots of types that aren't string. Perhaps instead we can do something that tags certain arguments as Sensitive, and then configure tracing providers or filters to expose them or not. I don't know if that's possible within the tracing framework, though. We might have to get creative here.