Limit access to privileged tables in app space

[eddyashton]

We currently have a distinction between different kind of internal CCF governance tables, and application tables (applications can read governance but not write it, even governance can't write internal system tables like signatures), but we make no distinction between application tables.

The historical view on this was that they were all in the same trust domain, so any attempt at sandboxing could be circumvented (ie - if you're writing a native app, you can always poke around in memory and find secret state you weren't supposed to see). This isn't true in scripting runtimes, for example in JS we can intercept all KV accesses and reliably prevent writes to governance tables. There is a request to offer the same protection in application tables, so we can support large apps with multiple privilege rings.

I think this would be implemented in the form of a per-endpoint allowlist/blocklist of tables, that would be enforced by any sandboxing layer (ie - JS interpreter, remote BL dispatcher, etc). It may also be interesting to offer a mid-transaction kill-switch (ie "from now on, don't let me access these tables"), to support offloading work to less privileged code within transaction execution.