modules/programs: don't expose *all* of /run/secrets/home to every program

this was actually causing a lot of bwrap errors because that directory's not user-readable

turns out any program which already uses programs.xyz.secrets gets the /run/secrets mounts for free via symlink following

modules/programs/default.nix

@@ -81,13 +81,11 @@ let
 
             "/etc"  #< especially for /etc/profiles/per-user/$USER/bin
             "/run/current-system"  #< for basics like `ls`, and all this program's `suggestedPrograms` (/run/current-system/sw/bin)
-            "/run/wrappers"  #< SUID wrappers, in this case so that firejail can be re-entrant
-            # "/bin/sh"  #< to allow `firejail --join=...` (doesn't work)
+            "/run/wrappers"  #< SUID wrappers, in this case so that firejail can be re-entrant. TODO: remove!
             "/run/systemd/resolve"  #< to allow reading /etc/resolv.conf, which ultimately symlinks here
             # /run/opengl-driver is a symlink into /nix/store; needed by e.g. mpv
             "/run/opengl-driver"
             "/run/opengl-driver-32"  #< XXX: doesn't exist on aarch64?
-            "/run/secrets/home"  #< TODO: this could be restricted per-app based on the HOME paths they need
             "/usr/bin/env"
           ] ++ lib.optionals (builtins.elem "system" sandbox.whitelistDbus) [ "/run/dbus/system_bus_socket" ]
             ++ sandbox.extraPaths ++ fullHomePaths ++ fullRuntimePaths;