Specifically, we want to allow `:read_group`, without which
certain policy checks will fail.

This was implemented in support of
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40088, but can
be extracted in advance, and fixes a distinct bug.

The basic assumption of policies is that if `A` delegates to `B` and
user `U` is allowed to perform action `x` on `B`, then that user is
allowed to perform that action on `A` (i.e. policies are transitive).

The `prevent_all` call in this policy breaks that assumption, which is
relied on by GraphQL authorization to hold. Without this fix, the
following situation is possible:

- there exists a group `G`, which is public
- there exists a membership of a user `U` in `G`
- `Ability.allowed?(nil, :read_group, G) === true`
- `Ability.allowed?(nil, :read_group, U) === false`

This means that anonymous users cannot read the membership of public
groups, but they **can** read the membership of public projects.