Merge bitcoin/bitcoin#34267: net: avoid unconditional privatebroadcast logging (+ warn for debug logs)

b39291f4cd doc: fix `-logips` description to clarify that non-debug logs can also contain IP addresses (Lőrinc)
c7028d3368 init: log that additional logs may contain privacy-sensitive information (Lőrinc)
31b771a942 net: move `privatebroadcast` logs to debug category (Lőrinc)

Pull request description:

  ### Motivation
  The recently merged [private broadcast](https://github.com/bitcoin/bitcoin/pull/29415) is a privacy feature, and users may share `debug.log` with support.
  Unconditional `LogInfo()` messages that mention private broadcast and/or include (w)txids can leak sensitive context (e.g. which transactions a user originated).
  Since it's meant to be a private broadcast, we should minimize leaks.
  It's a best effort, it's not invalidated by other logs possibly leaking identifiable information, those can be addressed separately.
  We're not promising that the logs won't ever contain data that could be used against the user, but we should still try to minimize that data, especially for a feature that's advertised as privacy-focused.

  Follow up to [#29415 (comment)](https://github.com/bitcoin/bitcoin/pull/29415#discussion_r2637012294)

  ### Changes
  * Move private-broadcast event logs from `LogInfo()` to `LogDebug(BCLog::PRIVBROADCAST, ...)`, so they are only emitted when `-debug=privatebroadcast` was explicitly provided.
  * Remove hardcoded `"[privatebroadcast]"` log-string prefixes (category logging already adds the prefix).
  * Keep warning at the default log level for startup failures.
  * Add an init log (not a warning since that would require excessive test framework updates) when any `-debug` categories are enabled that additional logs may contain privacy-sensitive information and should not be shared publicly.
  * Update a related startup arg (`-logips`) to clarify that clarify that non-debug logs can also contain IP addresses.

  ### Reproducer
  The new warning can be checked with:
  ```bash
  ./build/bin/bitcoind -printtoconsole=1 -stopatheight=1 -listen=0 -connect=0 | grep 'Debug logging is enabled' | wc -l
         0
  ./build/bin/bitcoind -printtoconsole=1 -stopatheight=1 -listen=0 -connect=0 -debug | grep 'Debug logging is enabled' | wc  -l
         1
  ```

ACKs for top commit:
  janb84:
    re ACK b39291f4cd
  vasild:
    ACK b39291f4cd
  andrewtoth:
    ACK b39291f4cd
  frankomosh:
    crACK b39291f4cd .The approach and implementation look good. Moving private broadcast logs to debug only would effectively reduce privacy leaks for users sharing logs.
  sedited:
    ACK b39291f4cd

Tree-SHA512: feca25ebe72a03948ba436e25f9a682947966c4c09627e8f20201ef3872ddbce1c636cd82f06be1afdc09cb80da305058667c0c2eaeadeb351311155325ea06f

src/net.cpp

@@ -3225,7 +3225,7 @@ void CConnman::ThreadPrivateBroadcast()
         std::optional<Proxy> proxy;
         const std::optional<Network> net{m_private_broadcast.PickNetwork(proxy)};
         if (!net.has_value()) {
-            LogWarning("[privatebroadcast] Connections needed but none of the Tor or I2P networks is reachable");
+            LogWarning("Unable to open -privatebroadcast connections: neither Tor nor I2P is reachable");
             m_interrupt_net->sleep_for(5s);
             continue;
         }