taint-mode: Check variables as if they were subexpressions

[IagoAbal]

If the LHS of ->foo was a sink, and we encountered x->foo where x
was a variable, we did not report a finding even if x was tainted. We
were not checking whether x was in a sink position.

Although they are not represented as such in the IL, variables are
themselves subexpressions, so we must check whether they are sinks or
sanitized.

Closes #4320

test plan:
make test # test included

PR checklist:

• Documentation is up-to-date
• Changelog is up-to-date
• Change has no security implications (otherwise, ping security team)

[github-actions]

🔥 Potential speedup in benchmark semgrep.bench.apache.std: -44.7% (-6.902 s)

14 benchmarks, 0.6% faster on average.

Individual deviations greater than 20% from the baseline are reported. An individual performance degradation of over 30% or a global degradation of over 7% is an error and will block the pull request. See run output for full results ('Show all checks' > 'Tests / semgrep benchmark tests' 'Details').