Fixes #51083.

This PR ensure that by default, tokens are encrypted by default irrespective of whether it is a `default` `TokenStateManager` or a custom one.

It lets the default one to continue encrypting tokens itself, because it encrypts the session cookie that holds all tokens, with a few tests proving it.

DB `TokenStateManager`, which is a custom `TokenStateManager`, is tested to prove it has tokens encrypted by default but also that users retain an option to avoid encrypting them. I run most of DB tests including the optional ones, `Db2DB` was the only one I could not run as the image download takes ages and probably hangs...

I did not update Redis `TokenStateManager` tests because it is just another custom `TokenStateManager`.