Refactor: implement "passthrough" for public/private user lists

[jpmcb]

This will work well for a hotfix, but we may want to consider similar guards in for the stat endpoints:

    if (!item.is_public && userId !== item.user_id) {
      throw new UnauthorizedException("You're not authorized to view this list");
    }

since anyone with that list id string can get any list stat (regardless of if it's public or not) via the API directly.

Originally posted by @jpmcb in https://github.com/open-sauced/api/pull/368#pullrequestreview-1671602459

---

This is in relation to removing the auth guards on the user list stats endpoints which was a hotfix to allow for public user lists but in the long run, will now allow people to use the API directly to inquery the stats of a private list.

We should come up with an eloquent way to decorate services with a "passthrough" to check for public/private lists and the provided user id for that list.