wwbn/avideo: Incomplete fix for CVE-2026-33482 allows command injection via single '&'

The fix for CVE-2026-33482 (GHSA-pmj8-r2j7-xg6c) is incomplete. The sanitizeFFmpegCommand() function still allows a single '&' character, which acts as a command separator in the sh -c sink, enabling OS command injection.

Users of wwbn/avideo who run the standalone encoder server and accept encrypted payloads via codeToExecEncrypted.

Replace the metacharacter denylist approach with argv array construction using escapeshellarg() per token, or at minimum add '&' to the stripped character set.