Wiping `crypt/zone` is too aggressive

[smklein]

#3557 has some flaws, identified by @iliana :

• We intended to "wipe crypt/zone on reboot", to clear out zone filesystems between executions of the sled agent. This, in theory, is fine.
• In practice, the disk may be parsed more than once during the live execution of the Sled Agent, so

  omicron/sled-hardware/src/disk.rs

  Lines 511 to 522 in 9a09e64

  	if dataset.wipe {
  	info!(log, "Automatically destroying dataset {}", name);
  	Zfs::destroy_dataset(name).or_else(|err| {
  	// If we can't find the dataset, that's fine -- it might
  	// not have been formatted yet.
  	if let DestroyDatasetErrorVariant::NotFound = err.err {
  	Ok(())
  	} else {
  	Err(err)
  	}
  	})?;
  	}

  may be invoked, even while there are zones up-and-running, using those filesystems.