Use os.Root for device file pulls

[besendorf]

Summary

This fixes the residual arbitrary host-path write risk in temp and Intrusion Logging acquisition paths.

The previous code derived host destinations from device-reported paths with strings.TrimPrefix and then passed those paths to adb pull. That allowed unsafe paths to escape the intended output directory, and the Intrusion Logging path made this worse by creating attacker-influenced parent directories with MkdirAll.

This PR:

• adds shared device child-path validation for paths reported by ADB
• uses os.Root for traditional-mode host writes so files are opened relative to the held output directory root
• streams device files into os.Root-opened files instead of passing host paths to adb pull
• keeps encrypted streaming paths using safe POSIX zip entry construction
• updates the module Go version to 1.26.3, the newest local toolchain available in this workspace
• adds regression tests for traversal, sibling-prefix, root-path, and symlink escape cases

Validation

• go test modules/paths.go modules/paths_test.go
• GOCACHE=/tmp/go-build go test -run=^$ -vet=off ./...
• GOCACHE=/tmp/go-build go build ./...

A normal GOCACHE=/tmp/go-build go test ./... still fails on pre-existing vet diagnostics in log/logger.go around Logger.out calls with arguments but no formatting directives.