docs(design): SEC-1.i receiver wiring follow-up -- deferred sites require carrier refactor

[oferchen]

Summary

• Catalogues the seven receiver-side metadata-application call sites that would consume the SEC-1.i sandbox helpers (fchmodat/fchownat/utimensat via-sandbox-or-fallback), with the in-scope DirSandbox availability per site.
• Identifies the shared carrier blocker: metadata does not depend on fast_io, and every candidate site funnels through metadata::apply_metadata_from_file_entry (and its variants) which directly issue set_permissions / chownat(CWD, ...) / set_file_times with no carrier parameter.
• Picks the same partial-wiring/explicit-deferral shape PR feat(fast_io): renameat sandbox helper (SEC-1.j) #4693 took for SEC-1.j when the carrier slice dominated the per-site work; captures the carrier-design options (add fast_io dep, extract a trait, or add a callback) and the re-open trigger for when the carrier-design PR lands.
• Doc-only change. No Rust touched. PR feat(fast_io): fchmodat/fchownat/utimensat sandbox helpers (SEC-1.i) #4690 already shipped the three sandbox helpers.

Test plan

• No code changes; no test impact.
• Doc grep confirms no AI-tooling references, no em-dashes, hyphen-only punctuation per writing-style rule.
• CI fmt+clippy run as a no-op cost check on the docs-only diff.