Direct Transfer - Authorised project/group exports are accessible to other users

We have functionality introduced by !96503 (merged) and !107363 (merged) that authorised resources before being exported.

For example, an issue's epic or notes might not be visible to the exporting user (despite being an owner of the project) so they are filtered before generating the export upload.

Given this authorization is performed for the exporting user, by allowing the file to be downloaded by other users, we are potentially exposing inaccessible resources.

How to replicate

• With User A create two privates groups group-to-export and external-group
• Create an epic in each group and assign the one in group-to-export as a child epic of the one in external-group
• Visit (Group -> Settings -> General -> Advanced) and export group-to-export.
• Download the file and find epics.ndjson. The epic parent should be visible
• Invite another user User B to group-to-export and assign it the owner role.
• Log in as User B and visit the epic in group-to-export. The epic's parent (in the right sidebar) is not visible.
• Visit the export page and download the file again. Open epics.ndjson that includes the epic's parent information.