Consider setting `action_on_unpermitted_parameters` to `:raise` in development and/or test

[G-Rath]

strong_parameters uses action_on_unpermitted_parameters to control what happens when an unpermitted param is found, which can be set to false, :log, or :raise.

The default for production is "false" whereas in development and test it's :log but maybe we should set it to :raise for the latter?

It makes sense for it to be silent in production because ultimately anything can be passed to our endpoints, but that's also why I think it would make sense to be very loud in dev and test as we should only be getting expected params.

I don't think historically we've had any significant issues or bugs around params that this would catch, but I have come across some instances of unpermitted params being filtered in apps (most commonly with the CSRF token) which raises my eyebrows as I'm usually hunting down a niche bug, so I think it could be a way of improving our hygiene a bit

[G-Rath]

Ok I applied it to my test suite and was immediately reminded that I've got cases where I explicitly pass in an unpermitted param as I'm checking that you can't e.g. pass in entity_id to have the app create a relationship on a nested entity (as that id should be from the route), but maybe it would still make sense to enable it for development?