Don't allow the desktop user to pass arguments to tails-upgrade-frontend (Closes: #7410)

... and accordingly update the design document and manual test suite steps.

The tails-upgrade-frontend program is run as the tails-upgrade-frontend user,
that is basically equivalent to root. Some of the available
tails-upgrade-frontend options might be dangerous. I've looked at it quickly and
didn't find anything scary, but still, it's simply not worth taking the risk of
privilege escalation, persistent root kit implementation, and so on.

Strictly speaking, this change does not really belong to
bugfix/7345-upgrade-from-iso-from-1.0-to-1.1, and could have been implemented
separately. However, this branch introduces running as root a syslinux binary
taken from the installed IUK, so it raised the flag that made me want to lock
this down a bit more.