This sprintf is safe thanks to the guarantees on the format
strings that we pass to it.
Well, almost. The GR_FILENAME_FMT_GUM format would not have
satisfied them if it was still used.
If someone makes a mistake that's a potential privilege escalation,
so I think it's reasonable to switch to snprintf to protect against
that remote possibility.