Improve security policy primary key validation

The following discussion from !158794 (merged) should be addressed:

• @aturinske started a discussion:

  thought (non-blocking): I would like for you to use the PRIMARY_POLICY_KEYS constant here, but I see that pipeline execution is also not using that constant. Probably because it has some extra values in it, so maybe that constant should be slimmed down a bit so that it can be used more consistently across all policies. Only scan execution is using it fully, when it actually shouldn't be, and merge request approval is adding to it. 🤔 I will look into this in a follow-up