Figure out how to sandbox snowflake in a sensible way.
Since #20735 (moved) got merged, alpha bundles will start having snowflake. Much like meek (#20781 (closed)) I'm beyond reluctant to run that in the tor container (as in, I won't do it).
The sensible way to support this is to write the glue code that I talked about in the meek ticket to allow pts to have their own containers (it would be nice if tor could talk to PTs and proxies over AF_UNIX as well, now that I'm wishing).