The --sbom flag was introduced while we were still figuring out how to handle scanning in different contexts and stuff like resolving patterns to files (like with requirements.txt) rather than just 1:1 mappings.

Nowadays we shouldn't need a dedicated flag (in fact right now you can use -L instead of -sbom and get the same results), and it makes it hard to move forward with #1846 due to its slightly special-but-unneeded behaviour.

We should start by deprecating the --sbom flag in favor of -L, and go from there