[RRFC] `npm init` should default to `private: true`

[ljharb]

Motivation ("The Why")

It's a safer default. The cost of removing one line for those intending to publish a package is near-zero. The cost of accidentally publishing a package you don't want to is potentially quite high.

How

Current Behaviour

npm init creates a publishable package.json

Desired Behaviour

npm init creates an unpublishable package.json with private: true

References

Related to #572.

[ljharb]

It'd be great to include this in npm 9.

It'd also be fine to add a prompt question that defaulted to private, so interactively or via config, users could still choose to produce a publishable package.json.