Keep record of restricted permissions in LightAppPermGroup

Restricted non-whitelisted permission should indeed be treated as if not
even requested. But there are very rare cases where they are still
needed.

This refactors the creation of the LightAppPermGroup a little as now the
restriction computation happens in LightPermission. Hence
LightPermission needs a package as an argument which changes
GrantRevokeTests a little.

Bug: 155019930
Test: atest GrantRevokeTests
Change-Id: Id979f6165d09456948a3868bcf9ff058eeb9bd1b
Merged-In: Id979f6165d09456948a3868bcf9ff058eeb9bd1b