Keeping secrets in memfd areas

It'd be nice if this enables the use of hardware encryption widgets like SME transparently. AIUI it can't safely be turned on globally because some drivers expect to be able to peek and poke shared memory - but if an area's explicitly flagged as secret that shouldn't be an obstacle. Having the contents encrypted at rest would also mean it's safe to swap out (as long as the key isn't!).