Decide how and when to use zeroize, and do it consistently.

Our current use of the zeroize crate is somewhat haphazard: we zeroize some things that we probably don't need to, and leave others un-zeroed.

We should decide what, specifically, we want to zeroize, and we should have a motivation for doing it. Then we should go through our crates and make sure that the right stuff is marked to get zeroized.

(This ticket is in lieu of some XXXX comments we used to have about zeroizing internal state for the kdfs in tor-proto, assuming we can even do that.)