Teach broker to accept trusted scripts at startup

[lawnsea]

The only reliable way I am aware of to import cross-domain scripts into the
worker is via importScripts. However, if not interposed on, this method allows
untrusted code to leak private information. So, we need a trusted way to call
it.

The current plan is to install trusted message listeners at startup that run
in a "safe" environment (they have their own private copy of RegExp, e.g.).
They will only have references to those privileged methods and values that
they ask for and will not have access to the scope of the broker.

Rather than specifying privileged properties to keep via properties.retain, we
can instead just keep private references to those properties required by the
trusted scripts.

• Remove properties.retain from config and tests
• Refactor config.scripts to be config.scripts.untrusted
• Implement config.scripts.trusted