manifest keys are not validated, allowing path traversal

The `_validate_cache_path()` function is currently only applied to locally scanned files, but not to manifest keys when iterating over them in `diff()`.

This means a corrupted or tampered manifest could contain keys like ../../etc/cron.d/evil, and since `diff()` passes them through as-is, downstream consumers would end up writing downloaded content outside of the intended data directory .