Add opt-in support to readonly `/etc`, also doc transient overlayfs for `/etc`

[cgwalters]

We want bootc to support both "generic, unlocked" systems that have persistent mutable state in /etc, as well as "sealed" systems that are only configured via bootc, and shouldn't have persistent mutable configuration.

(Similar, for /var, though in the general case for that I think people will instead want to allow-list at least some persistent paths, like the journal)

[cgwalters]

The core prep for this was done in ostreedev/ostree#3062

However, we should document how to use it.

[cgwalters]

We have documented transient /etc.