Use to toMap() in Link::jsonSerialize() could lead to data disclosure

The following code exists in Link::jsonSerialize()

        // TODO: this could lead to data disclosure - we should only return the fields that are actually needed
        $data = $this->toMap();

The code is called as part of LinkFieldController::linkData()

Data disclosure could happen when custom links or extensions to existing links add data columns that are not supposed to be shown in the CMS

Instead of using the 'include everything' approach, we should have an explicit list of fields returned. The list should be extensible.

Acceptance criteria

Review the usage of Link::jsonSerialize() and confirm what its used for and if it's returning fields that aren't needed.
Re-factor jsonSerialize and/or related method to only returned needed fields.
If there's an inherent residual security risk for custom link types, that risk is called out explicitly in the documentation.
TODO comment is removed from codebase.
Consider adding an extension hooks if there's a probably use case for it.

Being able to JSON serialise Links used to be a big deal because all the data was being passed via JSON string. It's a much smaller concern now.
Link used to extend the JsonSerializable interface. JsonSerializable::jsonSerialize() allows you to customise how an object gets represented when json_encode is called on it.
I would strongly suggest either:
- Reimplementing the JsonSerializable interface if there's still a need to be able to json serialise Links ... and using json_encode instead of directly calling jsonSerialize directly.
- Rename jsonSerialize to a more descriptive name if it's not actually serializing the Link.