Problem/Motivation
We use serialized columns in many places in core where JSON encoded arrays could be used. This can lead to security vulnerabilities in some contexts and we should move away from it if possible.
Where it is not possible, we should use the "allowed_classes" option for unserialize to reduce risk: https://www.php.net/manual/en/function.unserialize.php
Proposed resolution
Audit core to find instances of serialized columns, and determine where moving to JSON is possible.
In this issue or a follow up:
1. Deprecate SerializedColumnNormalizerTrait and friends in favor of killing unserializes
2. Write a PSA to tell people to fix their custom normalizers that use unserialize, and call out unserialize generally as probably a bad practice
Remaining tasks
See above.
User interface changes
None.
API changes
TBD.
Data model changes
TBD.
Release notes snippet
TBD.
