Bluetooth: Host: Re-subscribe only after encrypt change

Wait until encrypt change to trigger the re-subscription quirk.
Otherwise it could fail with insufficient security.

Also gate it behind a kconfig to make apparent its dependencies:

If `add_subscriptions()` is executed in the first place, that means that
the device was bonded and thus that it has to encrypt the link eventually.

`BT_GATT_AUTO_SEC_REQ` should take care of that.

Also add a new flag to `bt_gatt_subscribe_params` to not send the same CCC
write multiple times in some cases.

Signed-off-by: Jonathan Rico <jonathan.rico@nordicsemi.no>
Co-authored-by: Aleksander Wasaznik <aleksander.wasaznik@nordicsemi.no>