Flip the protection level for SCHEDULE_EXACT_ALARM

Updating the protection level to match the permission's behavior: only
apps that are privileged or signed with the platform cert will be
granted this permission statically.

This is still an appop permission so the user can explicitly grant or
deny this to any app that is requesting this via Settings. Similarly,
some roles may grant holders the app-op for this permission.

Permission check for latest apps will be simply delegated to
PermissionChecker.

Since this permission is now a privileged permission, this needs to be
added in the privapp allowlist for all apps currently declaring it to
successfully boot the device.

Older apps (targeting < 33) should not see any changes in how it
behaves - so apps that are not explicitly deny-listed in alarm manager
will see it being statically granted in the absence of user's explicit
choice.

This change is not expected to have any behavorial impact by itself. But
is instead supposed to establish the behavior of SCHEDULE_EXACT_ALARM
going forward. This also allows for simpler documentation and code
maintenance.

Test: Builds, boots.
Test: Manually check that the "Alarms & Reminders" UI works as expected
Test: atest FrameworksMockingServicesTests:AlarmManagerServiceTest

Bug: 270109095
Change-Id: Id18fabb1c3d1215400090540ade1e0257a5434ca