pid1: allow removal of foreign-owned subcgroups of cgroups owned by some user (#35922)

This improves operation in unprivileged userns environments, where
unpriv user code might invoke a container with a delegated userns UID
range, and thus ends up with a subcgroup owned by another UID. With this
patch any user is always allowed to remove their own cgroups even if it
has subcgroups owned by other users.

This removes a DoS of sorts, and enforces the rule that users strictly
own everything below cgroups they own.