bug: ResourceSelector isn't inherited by the default APIBindings mechanism

[OlegErshov]

Describe the bug

I want to constraint access to the secret resource by the LabelSelector or ExpressionSelector documentation link. I use one apiBinding core.platform-mesh.io which serves as a default one for many workspaces but when the new workspace is created, the inherited apiBinding core.platform-mesh.io-<hash> has no ResourceSelector and has just matchAll:true instruction. I think this code is the reason of it code link but I'm not 100% sure about it

Steps To Reproduce

The default apiBinding in the example is the core.platform-mesh.io and it has matchLabels resource selector for the secret resource, in the orgs workspace ( or any other ) there's inherited apiBinding with the name core.platform-mesh.io-<hash> and this core.platform-mesh.io-<hash> apiBinding has matchAll:true instead of matchLabels resource selector. The PR with the code example to reproduce the described issue platform-mesh/security-operator#249

To reproduce it:

1. run the kcp binary (e.g. kcp start --bind-address=127.0.0.1) in the separate terminal
2. find the admin kubeconfig for the newly created kcp instance. The kubeconfig should be in the same directory where the kcp start command has been executed
3. run export KUBECONFIG="path to your admin kubeconfig"
4. if you're in the root directory of the security operator, run go run ./internal/test/integration/cmd/kcp. This will configure kcp instance

- root
    - orgs
        - test
        - no-reconcile-org
    - platform-mesh-system

After this you can use admin kubconfig to navigate in any workspace and check the inherited apiBinding, all of them will have matchAll:true instruction instead of the resource selector

Expected Behaviour

I've expected to see the inherited apiBinding identical to the default apiBinding and in terms of the topic I've expected to see mathLabel resource selector in the inherited apiBinding

Additional Context

No response