aqt: Localhost API access via iframes in editor

Anki's webview-based pages communicate with the Rust backend using an internal localhost API. Measures to prevent user scripts from accessing this API inadvertently allow access to scripts included via iframes in the editor, enabling arbitrary file read via methods like `getImageForOcclusion`.

Any desktop Anki user (Windows, macOS, Linux) who imports an untrusted `.apkg` and views a card with an embedded iframe.

Upgrade aqt to version 25.09.4 or later, or apply workarounds: do not import `.apkg` files from untrusted sources, inspect `.apkg` contents for scripts, and block unexpected outbound network requests from the Anki process.