Require permission for internal broadcast

It was possible for other apps to request removal of the guest user
that was handled by an internal receiver in SystemUI.

Fix requires the broadcast sender to have an internal permission
so that only SystemUI can send that broadcast (PendingIntent).

Bug: 22671268
Change-Id: I63a8ced692e6d1cb2872b962ad247a827dbafbc6