downscope `AllowClientOp` ACL to specific node pool

[tgross]

As of Nomad 1.8.1 and even more so in 1.9.0, we've reduced the permissions of the node secret to a limited set of RPCs necessary for the client (see https://github.com/hashicorp/nomad/pull/23304 https://github.com/hashicorp/nomad/pull/23838 https://github.com/hashicorp/nomad/pull/23910).

Although it seems like many of the remaining RPCs could be scoped to a specific nodes, in practice nodes sometimes need to get data about allocs running on other nodes in the cluster (ex. to do migrations). But we could probably tight up the AllowClientOp operation to allow access only to other nodes in the same node pool.