Include groups in instance-level `Internal` visibility restriction

Problem

In https://gitlab.com/gitlab-org/gitlab-ee/issues/12388, we proposed adding an instance-level setting to restrict the use of the Internal visibility setting for projects. For instances like GitLab.com, this doesn't have high utility and can confuse users.

While projects are the most important object to restrict, we should include groups in the visibility restriction for similar reasons as to the above - an Internal group on GitLab.com provides little additional security, since the instance can be registered and accessed by nearly anyone.

Proposal

• The configuration to disable the Internal setting on new projects should be extended to include groups. When enabled, new groups should only be created with Public or Private visibilities.