Block activity starts from background when realCallingUid is

a persistent system process and the start wasn't explicitly
whitelisted by the sender

Also, adds mechanism to temporary whitelist processes when
broadcast-based PendingIntent was whitelisted, so that
activities can be opened for the duration of the broadcast
being processed.

For now, all this is only wired for notifications.

Note: those whitelists are separate - only UI elements like
notifications will leverage both in order to support trampolines.
Other system-based PendingIntent senders should only use the
activity-based whitelist when they want an activity to be opened
from background.

Bug: 110956953
Test: atest WmTests:ActivityStarterTests
Test: manual with Play notifications that are known
      for doing trampolines

Change-Id: Ibab91cdbe7afc0aed29d430dd41327272020925b