devel/got: use Capsicum

Thanks to the design of Got, the libexec helpers don't need any resource
(in fact they run under pledge "stdio recvfd" on OpenBSD) and so using
cap_enter(2) on FreeBSD is dead-easy.

While the main process can't be sandboxed on FreeBSD (needs to exec the
helpers), all the tough work is done by these small libexec helpers
which is also the biggest attack surface.

Obstained from:	Omar Polo