feat: enforce no-new-privileges for non-root containers

[Copilot]

• todo: remove the value in update-yaml.sh

Adds security-opt: no-new-privileges:true to all AIO-managed containers confirmed to run as a non-root user, preventing privilege escalation via setuid/setgid binaries.

Changes

• containers-schema.json – Added no_new_privileges boolean field to the container definition schema
• Container.php – Added noNewPrivileges bool property
• ContainerDefinitionFetcher.php – Reads no_new_privileges from JSON and passes it to Container
• DockerActionManager.php – Builds SecurityOpt array incrementally; appends no-new-privileges:true when set. Also fixes the Collabora seccomp case to append to the existing array rather than overwrite it (preserving label:disable and no-new-privileges)
• containers.json – Added "no_new_privileges": true to all 12 confirmed non-root containers:

Container	Effective user
nextcloud-aio-apache	33 (www-data)
nextcloud-aio-database	999
nextcloud-aio-notify-push	33 (www-data)
nextcloud-aio-redis	999
nextcloud-aio-collabora	1001 (Dockerfile)
nextcloud-aio-talk	1000
nextcloud-aio-talk-recording	122
nextcloud-aio-domaincheck	www-data (Dockerfile)
nextcloud-aio-clamav	100
nextcloud-aio-imaginary	65534 (nobody)
nextcloud-aio-fulltextsearch	1000 (Dockerfile)
nextcloud-aio-whiteboard	65534 (nobody)

Containers that legitimately run as root (nextcloud, borgbackup, watchtower, onlyoffice, docker-socket-proxy) and the externally-managed harp image are intentionally excluded.