Addresses often leak secrets

[ecpeterson]

Currently, ADDRESSes carry both the fields needed to identify which mailbox it points to and a SECRET field that indicates ownership of the mailbox. It is currently inconvenient to make sure that ADDRESSes are sanitized as they are shared with other processes, i.e., that their SECRET fields are blanked out. One could restructure this to make scrubbing automatic, or to make it clear when a public vs. private address is being used, or the serialization layer could automatically discard SECRET fields to prevent their implicit communication.