Wherever container_registry_enabled is being checked, we need to
update it to check the actor's permissions as well.

This is because we are migrating towards using
container_registry_access_level which allows for different users to
have different visibility of the container registry.

This commit changes project policy to only enable
build_read_container_image for all signed in users, for public and
internal projects, when container_registry_access_level is ENABLED.

For private projects, or when container_registry_access_level is
PRIVATE, build_read_container_image should only be available to
project members.