phosh-session: Drop ambient capabilities

Systemd 254 adds cap_wake_alarm by default in pam_systemd: https://github.com/systemd/systemd/blob/0e2f18eedd6b9be32b1c1122dcd2c30319074c7f/NEWS#L703 The phosh.service makes use of it through PAMName=login. This causes phoc to run with this ambient capability which is passed to the Phosh session which then fails to spawn any .desktop files such as Epiphany or any Flatpak app because they depend on bwrap which has a restrictive check against additional capabilities: https://github.com/containers/bubblewrap/issues/380 A regular GNOME session with GDM and GNOME Shell does not have this problem. Drop ambient capabilities before running the Phosh session to resolve the bwrap problem and align the behavior with the regular GNOME setup.