Add a principle that sites should not be _able_ to retaliate when users say no

[jyasskin]

w3c/a11y-request#74 (comment) by @AutoSponge suggested

(user agents) (API designers) Global opt-out and lack of consent should be indistinguishable to any website from a user agent that is not capable of presenting its user an opt-in or choice to consent.

We have a statement to this effect in https://w3ctag.github.io/design-principles/#device-ids:

A web app should not be able to distinguish between the user rejecting permission to use a sensor/capability, and the sensor/capability not being present.

but we think it would also make sense to mention in https://w3ctag.github.io/privacy-principles/#non-retaliation, which is currently only addressed to sites. However, we don't think we should delay this version of the W3C Statement on this, so I've marked this backburner to address for the next version.

@pes10k mentioned that there are some cases where regulations create different requirements on websites if they get an explicit "no" instead of "I can't", so perhaps we should say that users should have the option of being explicit if they want to.

[hober]

@martinthomson points to https://github.com/w3ctag/design-principles/pull/476/files in #425.

[torgo]

As we discussed today, there is wording in the Design Principles doc:

"A web app should not be able to distinguish between the user rejecting permission to use a sensor/capability, and the sensor/capability not being present."

under §9.1 so maybe we don't need additional text here since already talk about non-retaliation in §2.14. However we may need a cross-link or something similar.