Context

#6215

Per:
https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.SystemsADM.10010
https://twcsecurityassurance.visualstudio.com/SecurityPolicy/_git/SecurityPolicy/pullrequest/1230

Existing uses of BinaryFormatter must be removed or disabled by Jan 1, 2024.

Expected outcome

• Behavior of .NET and .NET Framework version of MSBuild is unified - the the BinFmt is disallowed by default
• While BinFmt is still workable on Framework - assume it is not for the purpose of this change (as it may be soon removed from Framework and only be pluggable via optional nuget) - so it is fine to drop violating events (providing build error is emitted)

UPDATE (Oct/19):

• For more gradual introduction of this breaking change, let's implement this for .NET Framework as a warning and without discarding the event.
• .NET Core behavior will stay the same.
• Per offline discussion with @rokonec - this can be achieved by skipping the sender side check for Framework, as receiving side check already has a warning.
• In the future we'll change the warning to error (not part of this item)

Open Questions

• Does AppContext.TryGetSwitch("System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization", out bool enabled) make sense on .NET Framework as well. I'll provide answer to this later on. - the switch can be used on Full Framework as well. There is currently no usage of that in Framework runtime. But we can keep the code for boh versions to avoid special casing