/boot/efi/loader/random-seed is world readable

[basak-qcom]

During systemd-boot installation from the image debos recipe, I see:

2026/02/27 16:08:37 apt | ⚠️ Mount point '/boot/efi' which backs the random seed file is world accessible, which is a security hole! ⚠️
2026/02/27 16:08:37 apt | ⚠️ Random seed file '/boot/efi/loader/.#bootctlrandom-seeda8497ce618ed8951' is world accessible, which is a security hole! ⚠️
2026/02/27 16:08:37 apt | Random seed file /boot/efi/loader/random-seed successfully written (32 bytes).

On the installed system, /boot/efi/loader/random-seed is indeed world readable.

Presumably this needs attention.

[gagath]

See #309 for an attempt at fixing this issue (still not fully solved, maybe an issue within debos itself).