Fix the required permission at the Group level for pulling packages.

With !57600 (merged), we modified the maven package finder to improve its efficiency.

One of the improvements made was to implement #287638 (closed) by using an existing finder helper.

This causes an issue for the group level maven api.

Given this situation:

Group -> Subgroup -> Project

Reporters of Subgroup could pull packages from Project by using the group level endpoint and targeting Group.

How is that possible?

Users need the read_group permission on the target group (Group).
- This is granted by the group policy which basically says if a user has access to any of the subprojects, it has access to the root group with the read_group permission.
Users need the read_package permission on the project (Project).
- This is granted by the usual role system where reporters of Subgroup will be reporters on the contained projects.
- The above will grant the read_package permission

The same scenario will now fail.

Users need the read_group permission on the target group (Group).
- Same as before
Users need the read_package permission on the project (Project).
- Same as before
In addition, users need read_package on the target group (Group)
- This is a new check
- read_package on groups is only granted to direct reporters (or public groups).
  - Reporters of Subgroup will not have this 💥

We could grant read_package the same way that read_group is granted for a Group but that will open things too much to my taste. This increases the risk of leaking private objects.
We can modify the package finder helper to enforce read_group instead of read_package.
- This would mimic the same set of permissions checked for Maven APIs before the MR.
- The package finder helper is also used by NuGet packages but this is fine as nuget APIs directly check the read_package permission on the group.

Solution (2.) is the best one.