Limit support for confidential notes to issues and epics

To reduce the scope of MVC we need to limit the note's noteable_type to only support confidentiality when it's an issue or an epic.

This feature is being developed behind the FF confidential_notes.

Proposal

1. We could perform this check at the policy level. We could add something like :create_confidential_note and then filter by issuable.type
2. We could validate the noteable type at the model level, before creating the note