Re-instate MR 213623 post-Incident 20931

Summary

As part of incident 20931, we reverted previously introduced performance improvements that included removing per-source (!213623 (merged)) (for example, notes or comments) and per-participant (!214345 (merged)) permission checks from the participants API endpoints.

As stated in the post-incident review, both changes were not security vulnerabilities. However, due to a high number of customer support tickets and customers expressing security concerns, we decided to revert both MRs during the incident via !215092 (merged).

Also, as noted in the post-incident review, only one of the two reverted MRs was the cause of the customer support tickets and the incident. That change was the removal of per-participant permission checks, not the removal of per-source permission checks.

Given that, we discussed and decided to reintroduce the per-source permission check removal for performance improvements.

This time, the change is being rolled out behind a short-lived de-risk feature flag to allow for a safe rollout and an easy rollback in case of any reports.