programs: ripgrep: sandbox with bwrap instead of landlock

this provides network isolation

hosts/common/programs/ripgrep.nix

@@ -1,8 +1,8 @@
 { ... }:
 {
   sane.programs.ripgrep = {
-    sandbox.method = "landlock";
-    sandbox.wrapperType = "wrappedDerivation";  # slow to build
+    sandbox.method = "bwrap";
+    sandbox.wrapperType = "wrappedDerivation";
     sandbox.autodetectCliPaths = true;
     sandbox.whitelistPwd = true;