Isolate user avatar in a safer way
The TODO that gave birth to this issue was very generic on purpose. The whole idea behind it was to use the pluggable system of twisted.cred to isolate the access to blobs in a more proper way.
Right now, the token-based authentication in soledad.server.auth already uses twisted.cred, but it has a generic soledad resource realm.
One proposal would be, when doing authentication, to build a FileSystemBlobStorage specific realm, that already matches the folder for an user with the uuid that matches this user and its root storage folder.
This issue is related to #8805 in its goals, but tries to enforce a cleaner implementation. It also is move involved in terms of needed time, and therefore I would leave it for a later milestone.