Disallow everyone to list files in the package dir

Only the system and the owner should be able to list the app
directory, both levels of it. Our code used the default mode
for them, making Incremental installations vulnerable to any
app that can see mounted filesystems: enumerating files in the
mounted incfs instance would give away the app package name.

This CL explicitly changes the mode to only allow reading
individual files in directory, but not listing them. Also now
we have code that fixes any originally installed packages to
make sure their mode is set properly as well

Bug: 261766355
Test: manual + an incremental CTS case
Change-Id: Ib084a3da95bd3e45463ee9e85e5b626495fd5486