API V3: avoid leaking information through expandable fields

[stsewd]

There are still more things to do, but first I'm removing the ones that aren't documented, so this shouldn't be a breaking change, and the information from those fields can already be obtained from the main object or from other endpoints, and if another user with lower permissions was relying on those fields, that was actually a bug.

Ref https://github.com/readthedocs/readthedocs-corporate/issues/1736.

Tests are on .com.

Expandable fields may look cool, but once you have to deal with permissions, they are a pain. Sorry, had to vent.