Enforce publisher purpose consent on directly set config

[patmmccann]

We propose a new activity check: if tcfControl module has a flag, we would want to make sure that directly set ufpd and eids are checked for publisher purposes in the same way ppid is now, so publishers are not accidentally circumventing consent.

Subject to identifying publisher demand, this problem is currently hypothetical

[dgirardi]

EIDs (and ufpd) that are provided directly through config are currently not checked against transmit* activities. The check would need to be added in core (not tcfControl, which only defines rules; it would break the pattern if including it added additional activity checks - for example if you want to add a custom rule on your own EIDs, it wouldn't make sense if you needed to include tcfControl for it to work).

Since this is breaking it needs either a configuration toggle (also in core) or it should wait until 10.

Besides tcfControl, the mspa module(s) also set rules on transmit*. Do they need to be updated? (if consent is denied according to our interpretation of mspa, are you not supposed to include your own data?)