Add .setsafe for Ghostscript command

This effectively reverts commit e28b880c ("Revert adding .setsafe for Ghostscript command") with additional fixes. This restores the security measure when running LilyPond without the Ghostscript API.

For this to work, the most important change is to enable the access controls only after opening the input file, but before running the PostScript code. Also allow access to the formattable OutputFile for the PNG backend which is needed for versions greater than 9.50 that implement the new SAFER method.