Harden 'safe-expunging-process'

[TomHennen]

In #1094 (comment) @marcelamelara said

I understand the practical reasons for needing to make exceptions in specific edge cases, but I also worry that the safe expunging process may still be worded too broadly. As in, the level of trustworthiness in a source repo at L2 still isn't super high, so what's to stop a rogue/malicious repo admin from abusing the safe expunging exception, especially since there's no documentation requirement? I'm wondering if it might make sense to raise the level at which such exceptions are permitted to make sure certain controls are in place and/or narrow the scope of the safe expunging process.

Let's make sure we're happy with this process before release.

[adityasaky]

More a follow up question about the current text:

Administrators have the ability to expunge (remove) content from a repository and its change history without leaving a record of the removed content.

I'm trying to understand the "without leaving a record" requirement. Would we have no trace of an object whatsoever? As in, not even its git ID / digest?