pub fn classify_unix_socket(path: &str, owner_pid: u32) -> bool
Classify whether a Unix domain socket is suspicious.
Flags abstract sockets owned by high-uid processes and sockets in staging directories.