Add a note about canonicity of ephemeral public keys.

zcash_primitives/src/sapling/note_encryption.rs

@@ -118,6 +118,9 @@ pub struct SaplingDomain<P: consensus::Parameters> {
 
 impl<P: consensus::Parameters> Domain for SaplingDomain<P> {
     type EphemeralSecretKey = jubjub::Scalar;
+    // It is acceptable for this to be a point because we enforce by consensus that 
+    // points must not be small-order, and all points with non-canonical serialization
+    // are small-order.
     type EphemeralPublicKey = jubjub::ExtendedPoint;
     type SharedSecret = jubjub::SubgroupPoint;
     type SymmetricKey = Blake2bHash;