hardening: clarify the whitelist logic

Per @Ericson2314's suggestion [1], make it more clear that the active
hardenings are decided via whitelist; the blacklist is merely for the
debug messages.

1: https://github.com/NixOS/nixpkgs/pull/28029/commits/36d5ce41d4538e83199a000e6f849442c1cf959c#r133279731