Handle non-encryption-aware accounts and sync.

The system can now boot in a "locked" state where only encryption
aware (EA) components can be safely started.  When in this state,
PackageManager already filters away non-EA components, but system
services like AccountManager and SyncManager need to carefully handle
these temporarily "missing" components.

As a guiding principle, all known Accounts are still present when
the device is locked, but communication with underlying non-EA
authenticators is blocked.

To keep things simple for now, all SyncManager requests are kept
dormant until the user enters the unlocked state.

The core of this logic is that RegisteredServicesCache now works
with all components regardless of EA status, which prevents us from
accidentally thinking a service was removed when the user is locked.

Bug: 25945136
Change-Id: I8714121f6236b00821769023c4df7de1c8a99944