fix: Apply same restrictions on ingredient deltas as active manifest for validation state

[ok-nick]

This PR changes our logic to apply the same conditions we do on the active manifest to the ingredients as well. If you have an untrusted ingredient, should you have a trusted active manifest? If the ingredient has an untrusted claim signature does it already affect the active manifests success codes?

This change breaks many of our test cases that do not report a trusted success code (and others) for ingredients. I'm opening this PR for further discussion on this topic.