Remove `download_code` dependency for permissions to read merge requests

What does this MR do and why?

What

Remove the ability download_code as a requirement to read merge requests.

Why

In order to grant access to read merge requests, the ability download_code had to be enabled for the Planner role in !169256 (merged) but this resulted in unwanted access to other features (for example #467846 (comment 2239308099) & #508240).

With this change, we can remove the download_code ability from Planner while maintaining the existing restrictions for Guest (no access to read MRs unless the project is public).

Note that this requirement was initially introduced as a security fix but given that read_merge_request is not granted for Guest I could verify the guards remain unchanged.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

1. Invite a user with the guest role to a private project (e.g. http://gdk.test:3000/gitlab-org/gitlab-shell) (it might need gdk restart to take effect)
2. Login as this user and verify there is no access to the MRs page or a single merge request's URL
3. Verify there is no access to endpoints http://gdk.test:3000/api/v4/projects/3/approval_settings or http://gdk.test:3000/api/v4/projects/3/approval_rules
4. Verify no MR-related permissions are returned from request http://gdk.test:3000/api/v4/projects/3
5. Verify that access to MRs is granted in public projects.