Define a "redactable" trait, and use it when logging guard info

This provides a better solution for #627 (closed), and may be the basis of #556 (closed).

Concernts:

• I'm not sure I like how it looks next to our our sensitive APIs.
• It does tend to require a bunch of intermediary implementations, whereas sensitive doesn't.
• I still have the concerns from #627 (closed) that logging 2 bytes per guard may be too much under some circumstances.
• I'm not sure that the debug variant is necessary; maybe calling Debug on a Redacted should just call Display and wrap the result as an escaped string.

Assigning review to @Diziet based on earlier comments on #627 (closed), but I wouldn't mind feedback from eta too about design here.