Add global privacy budget and per-impression-site quotas

[martinthomson]

We don't have a lot of text currently on privacy budget "safety limits", so we should rectify that.

The recent presentations we've had suggest two very simple protection measures:

1. The global privacy budget, which might be the concrete thing we need to provide a privacy "guarantee".
2. A quota for impression sites that we can use to ensure that one impression site can't exhaust the entire global budget.

There were other things in the work, but I think we can add just these for now.

We'll need to identify that each is some factor of the per-site budget, with some advice, but these are ultimately implementation-defined in a way that might need to be tweaked and tuned as we learn more. (For the quotas, @bmcase and I discussed maybe allowing some site-level heuristics that would help tighten things on the one hand, but expand to account for usage.)

[roxanageambasu]

In case it helps, the updated version of the "Big Bird" paper now on arXiv (v2, Oct 2025) -- also referenced here -- includes, in Section 4, a proposed design for quota-based global-budget enforcement, aimed at ensuring robustness against potential DoS-style depletion attacks (also related to this issue). The section also outlines a quota configuration strategy and analyzes the resulting resilience and privacy properties. For Level 1, the relevant quota from the proposed architecture is indeed the impression-site quota only.

cc: @tholop, @bmcase