Consider making mistrust disablement env var part of mistrust API

In arti we now honour ARTI_FS_DISABLE_PERMISSION_CHECKS. ISTM that this is a feature that every use of fs_mistrust might want. We have already had CI failures due to our own binary crates not honouring the same env var. The config plumbing for this has started to become noticeable.

I am coming to the conclusion that the right answer is to move this env var into fs_mistrust (renaming it appropriately). This will also mean that other programs which use fs_mistrust won't need to take special measures to have an "override" option, and I think that's appropriate - it's doing the right thing by default.

I think fs_mistrust is entitled to trust such an environment variable.

(Assigning this to you @nickm for now; I hope that's OK with you. This discussion partially prompted by review comments on !515 (merged).)