The removal of 'cr_gid' from cr_groups[] as cr_groups[0] made
cr_canseeothergids() skip considering the subject's first supplementary
group, causing the 'security.bsd.see_other_gids' policy to be too
restrictive, and cr_xids_subset() miss a check on the effective GID,
relaxing the "can debug" and "can export KTLS keys" checks.

Fix these policies.

Fixes: be1f7435ef218b1d ("kern: start tracking cr_gid outside of cr_groups[]")
Sponsored by: The FreeBSD Foundation