Run verifications on callingUser, not targetUser.

We have two verifications on each API call: 1) that the caller is not
coming from an instant app, in which case it shouldn't have access to
other app data, and 2) that the calling uid matches the caller's package
name and user handle. We were previously running these checks on the
targetUser, which could be different from the callingUser.

This is one of the blockers re-enabling cross-user support.

Bug: 193902620
Bug: 194939218
Test: atest -m -c --rebuild-module-info CtsAppSearchTestCases
FrameworksCoreTests:android.app.appsearch
FrameworksServicesTests:com.android.server.appsearch
CtsAppSearchHostTestCases

Change-Id: I9ef21efcbf26e2680c712867f05fd4adbf243b8e