Bluetooth: Mesh: Use separate net_bufs for bt_mesh_app_decrypt in friend

unseg_app_sdu_decrypt decrypts messages in place using a single net_buf.
While this is safe in terms of data access, the buffer state is
manipulated with the assumption that they're two different buffers, and
the output buffer's length field is increased at the end. When
assertions are enabled and the pdu length is 11 or 12 bytes, this
triggers the net_buf length assert, as the decrypt function attempts to
add the pdu length to the out buffer, with the assumption that it was
reset before decryption was started.

Create a separate output buffer with len = 0 to avoid triggering the
assert. Improve readability of the unseg_app_sdu functions to highlight
the need for the additional buffer.

Fixes #37519.

Signed-off-by: Trond Einar Snekvik <Trond.Einar.Snekvik@nordicsemi.no>