Implement 'super permissions' as described by @totten

Implement 'super permissions' as described by @totten

This picks up on an idea Tim has pushed several times - ie that instead of giving out 'Administer CiviCRM' willy nilly
we could deprioritise it in favour of 2 more granular permission bundles - ie Administer CiviCRM data & administe CiviCRM system.

This allows us to make some permissions more 'locked away' without endlessly adding new 'administer Payment Processors'
because we've realised not everyone who can create profiles needs to be able to see payment processor credentials.

It also allows us to make system checks less broadly visible where they are not appropriate.

Note that to proceed with this we would need to go through all places that check Administer CiviCRM & put in one
or both of the 2 new permissions. Having Administer CiviCRM implicitly includes anything granted to the existing
permissions so the implementation is smooth-ish there. However, I can imagine we would need a hook allowing people
to categorise themselves or we would find ourselves litigating all sorts