If Canton guarantees privacy at the protocol level, how does the Ledger API prevent privileged applications, indexers, or participant-side integrations from becoming the true source of metadata leakage, behavioral profiling, and institutional surveillance beyond what DAML itself protects?