Install non-EA providers once user is unlocked.

When starting encryption-aware apps while the device is locked, we
can only spin up ContentProviders that have been marked as
encryption-aware.  Once the user is unlocked, we need to go back and
install non-encryption-aware providers in already running apps.

Fix bugs in getPackageInfo() where only one of the various MATCH_
flags was being consulted (!).  Move matching logic to single unified
location in PackageUserState so we have consistent behavior.

Fix another class of bugs where Safe Mode wasn't correctly filtering
package details (!).  These bugs are fixed by splicing in the new
MATCH_SYSTEM_ONLY flag as part of state-based flag mutation that was
added for encryption.

Bug: 25944787
Change-Id: I39c8da74b1f9ba944cc817176983f50ba322329c