Watchtower configuration is risky for hosts running more than just ozone

[Bossett]

See bluesky-social/pds#49 - ozone is better configured (only updates where labelled), but still does not limit scope to bluesky-only containers.

Instead of straight enable, all bluesky and bluesky-provided watchtower containers in the compose should be defined with:

labels:
      - "com.centurylinklabs.watchtower.scope=bluesky-social-ozone" # (e.g.)

Also note that multiple instances with conflicting configuration and no scopes will break - as-is, it will not be clear which watchtower instance is updating which containers (i.e. which configuration will load) when running both the PDS and Ozone on the same docker host, and it's possible that the PDS instance runs which ignores the label setting.