Referencing issues/MRs in private context leaks in participant list

Problem

When referencing a (public) issue or MR in a private issue or MR the referenced issue will leak the external (non-public) engagement in the participant list.

This was discovered during a SIRT investigation where @mjozenazemian linked a suspicious issue https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/1175 and in result the user icon is displayed in the participants list even with unauthenticated access to the referenced issue:

I've verified the same behavior on MR participant lists, after a brief look at the source code I think we do not have any access controls for participant lists in place at all.

Proposal

The participant list should get access controls in a way that only participants will be displayed where the current_user can also see the participants engagement like in the logged in screenshot below:

cc: @kyletsmith FYI

cc: @gitlab-com/gl-security/appsec for triage