Unpublished canvas pages accessible to anonymous users with 'access content' permission

Overview

Unpublished Canvas pages are accessible to anonymous users who have the `access content` permission. This causes two related problems:

1. **Direct URL access**: Anonymous users can view unpublished/draft Canvas pages if they know (or guess) the URL
2. **Sitemap exposure**: Unpublished pages appear in XML sitemaps (via modules like `simple_sitemap`), potentially exposing draft content to search engines

The PageAccessControlHandler::checkAccess() method uses an orIf() pattern that bypasses the publication status check inherited from EditorialContentEntityBase:

'view' => $access->orIf(
  AccessResult::allowedIfHasPermissions($account, ['access content', Page::CREATE_PERMISSION, Page::EDIT_PERMISSION, Page::DELETE_PERMISSION], 'OR')
),

This grants view access if the user has ANY of those permissions, regardless of whether the page is published. Since most Drupal sites grant anonymous users the access content permission, this effectively makes all Canvas pages (published or unpublished) publicly accessible.

Steps to reproduce

**Direct access:**
1. Install Canvas module
2. Create a Canvas page and leave it unpublished (status = 0)
3. Note the page ID (e.g., `/page/24`)
4. Ensure anonymous role has `access content` permission (default configuration)
5. In a private/incognito browser window, visit the page URL (e.g., `/page/24`)
6. **Result**: The page renders with HTTP 200 status
7. **Expected**: Access denied (HTTP 403)

**Sitemap exposure:**
1. Install `simple_sitemap` module
2. Enable Canvas pages for sitemap indexing at `/admin/config/search/simplesitemap/entities`
3. Create both published and unpublished Canvas pages
4. Regenerate sitemap: `drush simple-sitemap:rebuild-queue && drush simple-sitemap:generate`
5. View sitemap at `/sitemap.xml`
6. **Result**: Both published AND unpublished pages appear in sitemap
7. **Expected**: Only published pages should appear