Add support to automatically use a non-privileged role

[kmewhort]

While the force option for policies solves the issue of a table owner bypassing RLS, we hit other issues removing SUPERUSER from the primary database account used for migrations and other tasks.

These changes add an alternative approach where the session is optionally switched to another non-privileged role whenever RLS is enabled.

[sbiastoch]

This is actually a very nice idea! We face the same issues like you described, which makes schema modifications here and there a bit brittle. The only issue I see is that the default state is unsafe. If due to a bug RLS was not enabled, no RLS policies are applied. I am also wondering if changing the role might have any side effects on transaction level.