Apply safelog's "Sensitive" tag to filenames, or otherwise redact them?

Paths on the filesystem can be sensitive, as in C:\Users\NickMathewson\AppData\Arti\, or as in /srv/onion-services/nicks-onion-blog/.

But redacting paths on the file system can lead to frustrating errors, as in "Could not open [...]" or "Could not open ${APP_STATE}".

On Unix-like systems we can make progress by extracting $HOME from the start of the path and replacing it with ~, but that isn't really a done thing on Windows AFAIK.

If we come up with a good solution here, we should consider applying it to the locations that include paths in our log messages or errors: fs-mistrust, tor-persist, and tor-dirmgr.