fix: Validate blob before attaching it to a record (#13115)

Previously, attachments relied only on blob_id, which made it possible
to attach blobs across accounts by enumerating IDs. We now require both
blob_id and blob_key, add cross-account validation to prevent blob
reuse, and centralize the logic in a shared BlobOwnershipValidation
concern.

It also fixes a frontend bug where mixed-type action params (number +
string) were incorrectly dropped, causing attachment uploads to fail.

spec/controllers/api/v1/upload_controller_spec.rb

@@ -18,7 +18,6 @@ RSpec.describe 'Api::V1::Accounts::UploadController', type: :request do
         blob = response.parsed_body
         expect(blob['errors']).to be_nil
         expect(blob['file_url']).to be_present
-        expect(blob['blob_key']).to be_present
         expect(blob['blob_id']).to be_present
       end
 
@@ -53,7 +52,6 @@ RSpec.describe 'Api::V1::Accounts::UploadController', type: :request do
         blob = response.parsed_body
         expect(blob['error']).to be_nil
         expect(blob['file_url']).to be_present
-        expect(blob['blob_key']).to be_present
         expect(blob['blob_id']).to be_present
       end