Avoid rejecting additional attributes consistently in security policies

Description

Most parts of a policy do not, e.g. rules does not permit additional attributes, however actions does. I don't see why we reject additional attributes in some places at all, since this breaks forward-compatibility between schema versions. I'll raise a draft MR to start discussion, but have some other things to get to first

See Slack thread (internal).

Implementation Plan

• backend remove from ee/app/validators/json_schemas/security_orchestration_policy.json additionalProperties: false entries,