Allow disabling "pod-security.kubernetes.io/enforce: privileged" for OADP-protected namespaces

Proposed title of this feature request

Allow disabling "pod-security.kubernetes.io/enforce: privileged" for OADP-protected namespaces

What is the nature and description of the request?

Customer is reviewing the security of their platform and has noticed that in the namespace in which a `DataProtectionApplication` is created (using the OADP Operator on OpenShift) is managed by the operator, the namespace is then statically set to the privileged PSA profile:

{{kind: Namespace
apiVersion: v1
metadata:
[...]
labels:
[...]
pod-security.kubernetes.io/enforce: privileged}}

The customer would like to disable this behaviour as the customer does not use Restic or Data Mover.

Why does the customer need this? (List the business requirements here)

Customer would like to enforce the principle-of-least-privileges. The customer does not use Restic or Data Mover and therefore would not need this permission on a protected namespace.

Having more fine-grained privileges would increase the perceived security of the platform.

List affected component/s.

OADP Operator

Potentially blocking velero issues:

Backup requires cluster scope to succeed, even when installed without clusterAdministrator · Issue #5156 · vmware-tanzu/velero (github.com)