Issues::CreateService should embed permission checks

Problem

While reviewing !92146 (closed) I realized that Issues::CreateService does not embed the permission check can?(user, :create_issue, project).

This makes it unsafe to use this service object since it's supposed to be an application-level service but permissions checks are missing. In fact today we do have to execute the permission check before running this service. We do it in most of the places but I found at least one place where we don't seem to check for permissions (if I'm understanding the code correctly):

IncidentManagement::PagerDuty::CreateIncidentIssueService --> IncidentManagement::Incidents::CreateService --> Issues::CreateService

This chain of services is executed without permissions checks.

Proposal

Embed the permission check inside the service object so it can be safely used by other contexts like IncidentManagement and we don't need to duplicate the permission check everywhere we use the service object, like for quick actions, REST API, GraphQL, controller, etc.