In OSSM 2.x we had to install istio-cni into a different namespace because we didn't want the mesh admin to have access to a privileged ServiceAccount. In OSSM 3.x, the mesh admin is a cluster admin, so there's no need to install istio-cni in any other namespace.

Upstream installs istio-cni in the same namespace as the control plane.

If we install istio-cni in the same namespace, then we can use ownerReferences instead of custom labels. This removes the need for adding a finalizer to the Istio resource, which makes the uninstallation of the operator easier to perform, since the Istio resource and CRD can be removed even if the operator is stopped beforehand.