Draft: Make Firefox, Thunderbird and Chromium trust system root certificate store

This works by making libnssckbi.so consumers like the mentioned applications use p11-kit.

The change consists of two parts:

1. A workaround for #704180 p11-kit which unfortunately still does not provide a package which replaces/diverts libnssckbi.so. This can be reverted and replaced with a dependency on such a package as soon as that becomes available.
2. The removal of the pre-poulation of ~/.pki/nssdb/ in different places as well as policies for Firefox and Thunderbird with the same effect.

Due to the diversion in 1.) the package becomes architecture dependent.