Modernize toolchain security flags
based on https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc, https://wiki.debian.org/Hardening, https://manpages.debian.org/unstable/dpkg-dev/dpkg-buildflags.1.en.html, and https://github.com/archlinux/svntogit-packages/blob/master/pacman/trunk/makepkg.conf:
-z relro is already enabled by https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/binutils/APKBUILD#L90 and can be removed from specs.
-z now is still needed to enable full relro for musl (it expands linker-marked relro region).
-fstack-clash-protection should probably be enabled by default.
-Wformat -Werror=format-security should be enabled in abuild.
-D_GLIBCXX_ASSERTIONS I think needs some investigation on binary size and performance.
-fcf-protection needs more investigation on which archs are compatible and what happens if specified on unsupported arch. afaik size/runtime cost is negligible though so probably should be enabled where supported.
-fasynchronous-unwind-tables is a debugging/backtrace flag, not security. already enabled by default upstream for aarch64, powerpc, s390, x86/x86_64.
-fexceptions for table thread cancellation I believe is not needed for musl because it just doesn't unwind on cancellation.
-D_FORTIFY_SOURCE, -fPIE -pie, -z relro, -z now, notext, -fstack-protector-strong are already enabled/used by default via gcc patches, specs, gcc/binutils configure args, and abuild.