DF-0120
Unprivileged read of all kernel env variables (boot/loader secrets)
Summary
KENV_GET(:135-149) and sysctl_kenv_boot(:472-501) expose all boot loader env vars to any local user. No caps_priv_check on read paths. Secrets in loader.conf (passwords, keys) disclosed. Documented BSD behavior but defense-in-depth gap.