mash: Review security of Chrome/app -> ash mojo interactions

With our current design, any client connecting to ash (ash::mojom::kServiceName) could change a variety of ash settings (eg. desktop background wallpaper, pinned shelf items, audio volume, etc.). We simply rely on the only client (Chrome) to do the right thing here. We should consider the implications of a compromised/malicious client connecting to ash, especially if/when we broaden the connection permissions beyond Chrome.

Tom and I discussed this in https://codereview.chromium.org/2718563008 comments #29-30:

Tom: We should chat sometime about what prevents clients from messing with each other's shelf items if the calls to change image etc. take an easily guessable app ID as a primary key ...

Mike: That's a very good question; I hadn't thought of that. I suppose we are just relying on the shelf client (Chrome) to do the right thing (ie. only set each app's requested title/icon/etc.). Isn't that also true for all other chrome->ash interaction schemes (wallpaper, volume control, shelf alignment/auto-hide/pinning, etc.)? Perhaps that's not good enough? ... This might be of more concern once app-specific clients beyond chrome can connect to Ash.