Keep /mnt/secure private to default namespace.

When vold mounts things in /mnt/secure/staging, it expects to MS_MOVE
those mountpoints when vetting is finished.  However, the kernel
doesn't allow MS_MOVE when the source is shared to child namespaces.

To work around this, create a tmpfs at /mnt/secure and mark it as
private (not shared).  Verified that vold can now successfully move
from the staging area.

Bug: 7094858
Change-Id: I5e05b1005c63efa277935c9bbd18cbf3ffdd47a3