JSON serialization of any Project model results in all Runner tokens being exposed through Quick Actions

This is a repeat of gitlab-foss#59003 (closed), but with a minor change to reproduce. It now needs a note that isn't command-only.

Steps to reproduce

1. Create a project
2. Create an issue
3. Write some text\n/move <full path of any other project> and click "Comment", a request to /:namespace/:project/notes is submitted
4. Observe the JSON response that is being returned, which contains the serialized Project model