Stop requiring unnecessary aggregation_unit:toplevel_query:toplevel_query permission scopes

[jc-harrison]

Following #5163, access to a toplevel_query query at aggregation_unit level with a other_query sub-query requires both aggregation_unit:toplevel_query:other_query and aggregation_unit:toplevel_query:toplevel_query permission scopes.

This means that the aggregation_unit:toplevel_query:toplevel_query scope is always required, but it is possible for FlowAuth users to define a role with aggregation_unit:toplevel_query:other_query but not aggregation_unit:toplevel_query:toplevel_query, which doesn't actually grant permission for any query (but this may not be intuitively clear to the user).

I wonder whether it would be best to only require aggregation_unit:toplevel_query:toplevel_query (in FlowAPI) if there are no sub-queries? (I.e. if a user has the required sub-query scopes, they don't need to also have the additional top-level scope). Effectively this would change the meaning of aggregation_unit:toplevel_query:toplevel_query from "can run a toplevel_query query" to "can run a toplevel_query query with no sub-queries".

An alternative could be to enforce this on the FlowAuth side (i.e. if agg_unit:tl_query:sub_query is selected, automatically add agg_unit:tl_query:tl_query to the role as well). But I think overall it's cleaner to handle this in FlowAPI.

Originally posted by @jc-harrison in #5163 (comment)