Fix DomainVerificationEnforcer for app visibility

Cleans up the permission logic and introduces app filtering.

This will require non-user targeted APIs that hit a package name
to hold QUERY_ALL_PACKAGES. This ensures the caller can see the packages
without needing to check instant app state by passing a userId.

Currently it's not clear how to handle instant app visibility, but it's
assumed that the verification agent and settings have visibility.

Bug: 171251883

Test: atest DomainVerificationEnforcerTest

Change-Id: I3ffe2cc0307c9efa97dfcf8474a620622e7cfcfe