tokens.Serializer: use encryption instead of plain signing

`itsdangerous` only supports HMAC-style signing of payload data, but really it would be better to use proper encryption so that `tokens.Serializer` is usable on deployments which need PKCE et al (which would allow the Flask wrapper to return to a `tokens.Serializer` default).