[Forward 7.9] constrain document translation with security domain (automatically derived from user session)

In the document view, the translations dropdown shows options to add translations if they don't exist yet, based on the couplings of the root folders.

But if access to those coupled root folders have been restricted for the logged in user using domains, these options should be hidden. When the option is used, a dialog shows, titled 'Exception', with "Unable to find root folder for language nl" and 'An error occurred, please retry.' It's more logical if the option would not show.

In code, I traced it down to the call
available = new HippoTranslatedNode(highestTranslatedNode).getTranslations(); in org.hippoecm.repository.translation.impl.TranslationWorkflowImpl#hints, and then to
org.hippoecm.repository.translation.HippoTranslatedNode#getTranslations in which a query to find coupled root nodes is used with a workflowuser session (rootSubject) and not the logged-in user session (userSubject).

Because the workflow user is used, all coupled root folders are found.

Reproduction:
I added two quick and dirty domain overrides for a 7.8 archetype.
Then create a coupled root folder as admin, the author should not see that.
Please also empty property /hippo:configuration/hippo:frontend/login/login/loginPage/cms.privileges to keep access as author.