Decouple Pre-Authorizer from Component-Specific Permission Requirements

[bentito]

Based off of:

#1858 (comment)

The current pre-authorizer implementation contains logic tightly coupled to the specific cluster-scoped permission needs of the contentmanager component (introduced as a temporary fix in #1858).

This tight coupling makes the pre-authorizer less generic and harder to maintain. This story is to refactor the pre-authorizer to handle permission requirements (namespaced and cluster-scoped) in a decoupled, configuration-driven, or otherwise generic manner, removing the specific dependency on contentmanager.

Acceptance Criteria:

[ ] Pre-authorizer logic is refactored to remove hardcoded checks specific to contentmanager's permission needs.
[ ] A generic mechanism is implemented for components/configurations to declare their permission requirements (including cluster scope) to the pre-authorizer.
[ ] contentmanager functionality remains correctly authorized by the refactored pre-authorizer.
[ ] Code comments related to the previous temporary coupling are removed/updated.
[ ] Tests verify the generic handling of different permission scopes.