Tighten RLS boundaries for user profile data

[legalverb]

Summary

• Restrict direct users table reads to the authenticated owner instead of exposing every row through the existing OR true policy.
• Add a public_user_profiles projection for profile pages so public rendering can use a safe subset of columns.
• Split public-read policies from owner-only insert/update/delete policies for reading lists, reading-list books, and annotations.
• Drop the previous broad policy names before creating the narrower policies so existing databases do not retain permissive rules.

Security impact

The current schema enables RLS on user-scoped tables, but users_self_select currently evaluates to public access for every row. The users table includes fields such as email, reader preferences, location, reading stats, supporter flags, timestamps, and profile metadata. Public profile pages should not require exposing the full table.

The old FOR ALL policies on reading_lists, reading_list_books, and annotations also mix public-read conditions with write/delete policy definitions. Splitting read and write paths avoids public rows becoming eligible for mutation if table grants are present.

Validation

• Ran git diff --check.
• Confirmed the schema contains compatibility drops for the old broad policies.
• Confirmed the new policy names and public_user_profiles view are present.
• I could not run Prisma validation because this checkout does not have the Prisma CLI installed (corepack pnpm --filter @librarfree/db exec prisma validate reports Command "prisma" not found).

Related to #100.