SMT exclusion should be by pid rather than zoneid
One part of #11048 was an API to restrict workloads from running on SMT pairs when vulnerable (or potentially aggressive) workloads were running on the sibling. This was primarily to mitigate HVM guests from using micro-architectural side channel attacks against the host or other guests. Originally this exclusion was implemented using
zoneid as the identifier to distinguish security boundaries. It would be valuable to change this to
pid. Doing so would better protect other host software running in a zone with an HVM instance, or when multiple HVM instances are running together in a (potentially global) zone.