Validate file paths in device transfer to prevent path traversal

[rm335]

First time contributor checklist

• I have read the README and CONTRIBUTING documents
• I have signed the Contributor Licence Agreement

Contributor checklist

• My commits are rebased on the latest main branch
• My commits are in nice logical chunks
• My contribution is fully baked and is ready to be merged as is
• I have tested my contribution on these multiple real devices.

Description

The device transfer restore flow uses file.relativePath and file.identifier from the received protobuf manifest to construct file paths. These values originate from an external device via MultipeerConnectivity and are not validated on the receiving side.

The sender already validates paths in pathRelativeToAppSharedDirectory() (checking for .., ., ~), but the receiver did not apply the same validation. A crafted manifest with ../ in relativePath could cause files to be written outside the intended appSharedDataDirectory.

Fix: Adds a sanitizedPath(for:within:) helper that resolves the path via URL.standardized and verifies it stays within the base directory. Applied to all three affected code paths:

• moveManifestFiles() (modern restore)
• restoreTransferredDataLegacy() (legacy restore)
• verifyTransferCompletedSuccessfully() (verification)

Legitimate transfers are unaffected — valid relative paths like Attachments/uuid/file.dat pass the check.