Be "at least as secure" as Tor (as a client)

This is a fairly open-ended ticket; it is a requirement for %Arti 1.0.0: Ready for production use, but we need to decide what exactly it comprises.

Some likely candidates to include are:

SafeLogging (#189 (closed))
Zeroizing keys (#254 (closed))
Circuit isolation code (#150 (closed))
File permission checking (#315 (closed))
Setting per-process flags and dropping permissions as in C tor's winprocess_sys.c, restrict.c, setuid.h (#364 (closed))
Netflow padding (#62 (closed))

Some things not necessarily to include (now) are:

seccomp2 sandboxing (huge kludge, less necessary in Rust)
memory-DoS resistance (waits for %Arti 1.2.0: Onion service support )
hardened PRNG (current prng is "good enough")

Edited Feb 24, 2022 by Nick Mathewson