Place vendor folder in the trustpath

[fiammybe]

This is security hardening : the vendor folder should not be publicly accessible. Initialy mentioned by @MekDrop here : #1677 (comment)
The problem is that the trustpath is not yet known at the moment of installation, and the installation program needs a working composer.
This will need some more experimenting with the installer.

The current Composer branch already supports moving the vendor folder (there is a directive in the composer file for that). The tricky part is to get the installer working with it.

[MekDrop]

Probably not best way but it would work:

1. Add to icms class new method:

/**
 * @internal
 */
public static function getVendorPath(): string
{
    if (defined('ICMS_TRUST_PATH') && ICMS_TRUST_PATH !== '') {
        return rtrim(ICMS_TRUST_PATH, '/\\') . '/vendor';
    }

    return rtrim(ICMS_ROOT_PATH, '/\\') . '/vendor';
}

2. use in common.php include like this:

require_once __DIR__ . '/../libraries/icms.php';
require_once icms::getVendorPath() . '/autoload.php';

Also, do not set vednor path in composer.json and everything I think should work, because composer by default in cache stores all paths relative to autoload.php. So it's safe to move paths.

Only problem is left that to make this work initially vendor/ should be possible to move - somehow it needs to have initially permissions good.