Return 404 for non-public profiles instead of 403

In cases where a profile is not public and user is not logged-in or not authorized to view it, we should probably return a 404 instead of a 403 because the latter reveals the existence of the profile (and is also confusing to non-logged-in users).

We can probably use `Response::denyAsNotFound()` in the policy. See https://laravel.com/docs/10.x/authorization#customising-policy-response-status