Sandboxed cross-contract calls

[nicc]

Wallet providers have expressed concern about running dependent contract code directly in the same environment, and have asked if it's possible to run each contract call in a sandbox.

The obvious way to achieve this is to serialise the cross-contract returns. This conflicts with a planned protocol feature which would introduce bi-directional communication between these contracts. @nholland94 has some thoughts on alternative ways to achieve this.

SDK team will draft the RFC and consult with Nathan before starting.

[mitschabaude]

Maybe the RFC could also address the following:

• How to express serializable contract calls as an API in o1js. The current contract call mechanism and API we have aren't suitable for communication across JS processes
• How the blinding factor (which serves as an input to the callData hash) is communicated between caller and callee
  • note: this factor has to be considered a secret if the goal is to keep the private user inputs hidden. However, private call inputs can't be hidden from the sandboxed callee context. So, there are no concerns with openly sharing the blinding factor with that sandboxed context