Make the root directory of the persistence non-world-readable
Things like #7443 (closed) would not be an issue if
/live/persistence/TailsData_unlocked/ had e.g. permissions 0770. What
prevents us from doing this?
The dotfiles feature, however,
amnesia user to at least have
x access to this directory, which we could grant via ACLs.
Apart of that, the persistent directories are
bind-mounted to places that this user can read.