[Lint] Report public capability fields

[turbolent]

Feature Request

Capabilities should not be accessible by unauthorized parties. For example, capabilities should not be accessible through a public field, including public dictionaries or arrays. Exposing a capability in such a way allows anyone to borrow it and perform all actions that the capability allows.

Detect and report public fields with a capability type; directly, or indirectly (e.g. array/dictionary of capabilities)

[dsainati1]

After Stable Cadence, once entitlements are released, this won't be unsafe in principle; having a Capability in a public field is not a problem as long as it has the proper entitlements. I think we should change this on the Stable Cadence side to only warn about auth Capabilities in public fields.