TPA-RFC: define policy on prometheus exporters

while we have some way for people to add exporters to our prometheus/grafana setup, it's not clear how they should actually export those metrics to us.

here are the questions that need answering in this proposal:

1. how to expose metrics (port number? dedicated vhost? different subpath? we do all of those right now)
2. (how) to encrypt the communication between the scraper and exporter (TLS? plain http? either? we do both right now)
3. (how) to *restrict access to the exporters? (IP-based allow lists? HTTP user/pass auth? bearer tokens? TLS client certs? nothing? i believe we do everything but TLS client certs and, hopefully "nothing" here)

The question of the time series privacy is out of scope here and handled in #40755 (closed), where we are currently heading towards tor-internal level privacy, and merging Prometheus servers in a single cluster.

this came up in operations with anti-censorship (e.g. #41265 (closed)) but also the network-health folks, which are all stakeholders.