For inbound data the simplest, safest thing to do is to traverse all
JSON right after encoding and search for private parameters by key.

This ensures that all consumers of this data get Private values
transparently and consistently; the serializing methods don't have to
worry about trying to understand what kind of JSON it is receiving.
It also minimizes the surface area of codebase that is exposed to the
values directly.

The downside is it adds a ~5% time overhead to all JSON decoding as
measured through:

$ time make hs-test-py_compat_types

As far as encoding to JSON is concerned, the serializer will redact
Private values unless told to do so explicitly (e.g., for tests).

Signed-off-by: Santi Raffa <rsanti@google.com>
Reviewed-by: Jose A. Lopes <jabolopes@google.com>