Enable `:download_code` on project for custom roles

What does this MR do and why?

• Adds policy check on a project so that a user with a custom role based on the GUEST role can download code if that custom role allows it.
• This is gated on the customizable_roles feature flag being turned on for now because we want to evaluate performance before making it generally available
• The custom role check applies to a custom role anywhere within the project hierarchy. If any custom roles for that user enable download_code, then they can download code unless another policy check explicitly prevents that.
• This is an additive-only approach. Meaning that download_code: false does not take away the ability for a guest user to download code on a public repository. But download_code: true enables this ability for guest users on a private repository, who by default cannot download code.
• These custom roles can be defined via the API endpoints created here: !96996 (merged)
• Issue: #370088 (closed)

Screenshots or screen recordings

Screen recording of this working: https://www.youtube.com/watch?v=i4wLmgTBjZs (internal only)

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.