Python: Default Dapr module allowlist to semantic_kernel prefix (#13596)

### Motivation and Context

Follow-up to #13499. The previous PR added the `allowed_module_prefixes`
parameter but defaulted it to `None`, which meant the module restriction
was only active if developers discovered and configured it.
Secure-by-default is the right posture here — restrict first, let
developers widen as needed.

- Change `allowed_module_prefixes` default from `None` to
`("semantic_kernel.",)` across Dapr runtime step loading
- Non-SK step classes now require developers to explicitly add their
module prefix (e.g. `("semantic_kernel.", "myapp.steps.")`)
- Developers can pass `None` to opt out entirely, but the secure default
is now enforced
- The Dapr runtime code is experimental, so this is a non-breaking
change per our stability guarantees

<!-- Thank you for your contribution to the semantic-kernel repo!
Please help reviewers and future users, providing the following
information:
  1. Why is this change required?
  2. What problem does it solve?
  3. What scenario does it contribute to?
  4. If it fixes an open issue, please link to the issue here.
-->

<!-- Describe your changes, the overall approach, the underlying design.
These notes will help understanding how your code works. Thanks! -->

### Contribution Checklist

<!-- Before submitting this PR, please make sure: -->

- [X] The code builds clean without any errors or warnings
- [X] The PR follows the [SK Contribution
Guidelines](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md)
and the [pre-submission formatting
script](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md#development-scripts)
raises no violations
- [X] All unit tests pass, and I have added new tests where possible
- [ ] I didn't break anyone :smile:

---------

Co-authored-by: MAF Dashboard Bot <maf-dashboard-bot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>