Formalise HRG as mandatory by default

[frivoal]

In #347, @lknik said:

I am also wondering if we could take this opportiunity to somewhat formalise HRG (here mostly focusing on security/privacy, i.e. as foreseen in this paper, see e.g. Section V) as mandatory by default, subject to the exceptions formed by "Automatic Update Approval"? I am simply a bit wary of a situation where a change in one feature, possibly in conjunction with other features or changes in them, unexpectedly open an undesirable consequence for the Web.

(refiling as a separate issue because it seems distinct form, even if related to, the rest, and triaging into later-than-P2020 as per the March 11 call)

This may be related to #130

[chaals]

At a fundamental level there is a requirement for changes to have received "wide review", which I and I believe the community at large understand to include review for important "horizontal" areas like accessibility, internationalisation, privacy, and security.

I think there is a different question here, which is to make those forms of review more explicit objectives of wide review, which could be achieved with an editorial change to the explanation of wide review.

[frivoal]

Closing as accepted, as wide review is mandatory, and and horizontal review is now explicitly documented as being part of wide review, so this is covered.