Add Private Token Permission Policy and Fetch Integration explainer

[sysrqb]

This is an explainer that describes how private tokens may be exposed in third-party contexts and integration into Fetch algorithms.

[sysrqb]

One known remaining/missing piece is integrating the permission policy into Fetch.

[annevk]

I suggest we add a sentence at the very end so we can merge this and address that later:

TODO: Permission Policy integration to enable this for cross-origin documents.