Disable host process containers when disable unsafe operations is enabled

[katiewasnothere]

Host process containers are not safe for multi-tenant scenarios since they run directly on the host and use the host's network. Don't allow host process containers to be used when DisableUnsafeOperations is set.

[katiewasnothere]

@helsaawy and @anmaxvl I reworked this PR to instead change how we handle annotation expanding. Instead of the annotations sharing the same value as the parent annotation, I added the ability to set a target value for the child annotations. Do y'all have any thoughts on this approach?

Note: optionally in the future we could even expand this to use parent annotations that are not true or false. For example, I could envision an annotation like "memorybacking" and when that annotation's value is "physical" then it could expand with child annotations allowovercommit to false and vpmemdevicecount to 0, like we have for the annotation "fullyphysicallybacked"