Some use cases for `jq` may involve accepting untrusted input.
See discussion in jqlang#1361 for some security considerations that
may be relevant for those use cases.

This commit adds a `--sandbox` flag which is meant to mitigate
one category of security issue with untrusted input:
features of jq which are meant to let the jq filter access
files/data other than the direct input data given to the CLI.

Specifically, the new `--sandbox` flag blocks the implicit
loading of `$HOME/.jq`, and also blocks the use of
`import` and `include` for loading other `jq` files.

If other features are added to `jq` in the future which allow
for reading files/data as part of the filter syntax, it is
intended that the `--sandbox` flag would also gate access to those.

In a security-sensitive environment where the `--sandbox` flag
can be used to mitigate some categories of threats from untrusted
filter code and/or untrusted JSON data, it is also desirable
to prevent leaking environment variable values (which often
can include secrets in some environments).

This commit does so by updating the behavior of `--sandbox` to
also clear the environment variables seen by the jq filter code
in the `$ENV` value and `env` builtin.