docs: document system workspaces (like shard-local `system:admin`)

[embik]

We should write documentation on the special system workspaces of kcp (is there more than system:admin right now? I'm not aware). What they do, what is special about them, and how to access them.

system:admin for example is important in RBAC, because it powers the global authorizer, so every RBAC that is in that workspace applies to every logical cluster on the shard.

Another note here: It might be time to rename the concept from "system workspace" to "system (logical) cluster". There is no Workspace object for system:admin and I suspect the naming is a leftover from before the reshuffling of terminology.