feat(exrc): user must view and explicitly run ":trust" #35069

Problem:
It's relatively easy to mispress key `a` to (a)llow arbitrary execution
of 'exrc' files. #35050

Solution:
- For exrc files (not directories), remove "allow" menu item.
  Require the user to "view" and then explicitly `:trust` the file.

runtime/lua/vim/secure.lua

@@ -121,18 +121,16 @@ function M.read(path)
     return contents
   end
 
-  local dir_msg = ''
+  local dir_msg = ' To enable it, choose (v)iew then run `:trust`.'
+  local choices = '&ignore\n&view\n&deny'
   if hash == 'directory' then
     dir_msg = ' DIRECTORY trust is decided only by its name, not its contents.'
+    choices = '&ignore\n&view\n&deny\n&allow'
   end
 
   -- File either does not exist in trust database or the hash does not match
-  local ok, result = pcall(
-    vim.fn.confirm,
-    string.format('%s is not trusted.%s', fullpath, dir_msg),
-    '&ignore\n&view\n&deny\n&allow',
-    1
-  )
+  local ok, result =
+    pcall(vim.fn.confirm, string.format('%s is not trusted.%s', fullpath, dir_msg), choices, 1)
 
   if not ok and result ~= 'Keyboard interrupt' then
     error(result)
@@ -147,7 +145,7 @@ function M.read(path)
     -- Deny
     trust[fullpath] = '!'
     contents = nil
-  elseif result == 4 then
+  elseif hash == 'directory' and result == 4 then
     -- Allow
     trust[fullpath] = hash
   end