Protect database encryption key with Electron safeStorage API

[pl4nty]

First time contributor checklist:

• I have read the README and Contributor Guidelines
• I have signed the Contributor Licence Agreement

Contributor checklist:

• My contribution is not related to translations.
• My commits are in nice logical chunks with good commit messages
• My changes are rebased on the latest main branch
• A yarn ready run passes successfully (more about tests here)
• My changes are ready to be shipped to users

Description

Protecting local user data has been discussed extensively in #5703 and elsewhere. I recently watched Claudia speak at CrikeyCon about offline recovery of Signal messages, relying on the plaintext encryption key rather than noisy live attacks like keylogging.

As a simple mitigation, I've implemented Electron's safeStorage API to opportunistically encrypt the key with platform APIs like DPAPI on Windows and Keychain on macOS. I'd love some feedback on this approach, particularly

• Any additional features to accept this PR eg migration of existing plaintext keys
• Whether the mitigated threats (eg offline analysis and low-privilege malware) are worth the user impact (password prompts) on Linux and macOS

CI has passed on my fork and installers can be downloaded here. I've manually tested startup, messaging, and restarts on

• Windows 11 Education 22631.3374 (DPAPI)
• Debian Bullseye in a devcontainer (basic_text)

[pl4nty]

I've also implemented AppX packaging on a separate branch, which provides filesystem isolation on Windows