[batch] Mount job secrets as read-only

[daniel-goldstein]

These should never have been read-write. Caught this because a CI job I was modifying overwrote /gsa-key/key.json with /test-gsa-key/key.json which caused the Output step to use the test credentials instead of CI credentials.

I also removed an overriding definition of secret_host_path in JVMJob. I don't see why it should be different than what's defined in Job and using host_path seems quite dangerous.

Added a test that we can't mv a secret path and updated some existing tests that assumed we can overwrite secrets.

TODO: Update build.yaml to not mv any secrets or PRs will fail when this joins the mainline.