www/caddy: Secure the default admin API endpoint

Caddy's default of localhost:2019, particularly combined with the port
defaulting to root:wheel, can be a significant security risk.

Mitigate this by setting the default to /var/run/caddy/caddy.sock, which
will be protected by filesystem permissions. Prior behaviour can be
restored with 'sysrc caddy_admin=localhost:2019'

Additionally, help users prepare for a change to running Caddy as
www:www by default using the new security/portacl-rc port in an update
message, and by extending the comments in the rc script.