Make the root directory of the persistence non-world-readable

Originally created by @intrigeri on #7465 (Redmine)

Things like #7443 (closed) would not be an issue if /live/persistence/TailsData_unlocked/ had e.g. permissions 0770. What prevents us from doing this?

The dotfiles feature, however, requires the amnesia user to at least have x access to this directory, which we could grant via ACLs. Apart of that, the persistent directories are bind-mounted to places that this user can read.

Related issues

Related to #7443 (closed)
Related to #14508

Edited Oct 18, 2020 by intrigeri

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information