Apply backend validation when setting confidential note flag
Through the frontend we currently only expose the "mark comment as confidential" option to users who "can update" the issuable. We should validate this in the backend too.
For the first iteration we also want to force all thread replies to be confidential where the original comment is confidential. Similarly, we should NOT allow pubilc (non-confidential) comment/thread replies to be confidential.
/cc @tomquirk