Only allow group owners to make user changes that impact billing

Problem to solve

Similarly to #35667 (closed).

Non-admin users have too much freedom over whether or not they take up a paid seat and admins do not have enough control over this. Currently, a guest user can move themselves into a paid seat by creating a project on their personal namespace, or a maintainer or group owner could add them to their group or project while another maintainer or group owner only wants to allow them guest level access.

It's also really hard to see an overview of what groups/projects a user is a member of without specifically going into that user and clicking the groups/projects tab. When an instance has thousands of users, it's almost impossible to understand which users are taking up paid seats and in which project/groups they are allocated those seats.

This makes it hard for customers to manage billing and forecasting, especially in the case where large companies are utilising GitLab in such a way where groups on the instance are allocated to specific teams in their org and have separate budgets.

Proposal

Only allow group owners to make user changes that impact billing and incur charges. We should remove the Add new team members permission from the maintainer role. We should do this for gitlab.com and self-managed (further debates for self-managed happening here: #35667 (closed))