Surface: Use fewer raw pointers to help avoid UAF issues

We've been seeing an increasing and concerning number of buffer-related
UAFs across a number of tests as we roll out more users of Surface.

This change hardens the implementation to use proper refcounts for all
buffers within Surface, as well as use the appropriate function for
converting a ANativeWindowBuffer* to an sp<GraphicBuffer>.

Bug: 413059222
Bug: 418318000
Bug: 420318909
Bug: 421921018
Flag: EXEMPT refactor
Test: existing tests

Change-Id: Id09c300163629467b30c13c36add91a7a4be6576