[main] Cleanup remaining SSP references (#36248)

- `cherry-pick` 888e03a
- remove references to System.Security.Permissions and its closure
  - only mentions are in eng/PackageOverrides.txt and eng/PlatformManifest.txt
  - those files will remain unused until we update them in the run-up to 6.0.1
  - may see some package refs for SSP and its closure elsewhere but this does not impact targeting pack content
- also remove duplication between `@(AspNetCoreReferenceAssemblyPath)` additions (for efficiency)

nit: Only need to exclude System.Net.Quic from `@(_AvailableRuntimeRefAssemblies)`
  - Crypto.Pkcs is **not** present in the transport package
  - other disallowed entries aren't present in the transport package or our dependency closure

src/Framework/App.Ref/src/Microsoft.AspNetCore.App.Ref.csproj

@@ -123,14 +123,8 @@ This package is an internal implementation of the .NET Core SDK and is not meant
           BeforeTargets="_GetPackageFiles"
           DependsOnTargets="ResolveReferences;FindReferenceAssembliesForReferences">
     <ItemGroup>
-      <!-- Exclude transitive external dependencies that are not directly referenced in AspNetCore or Runtime. -->
-      <_DisallowedReferenceAssemblies Include="
-          Microsoft.Win32.SystemEvents.dll;
-          System.Drawing.Common.dll;
-          System.Net.Quic.dll;
-          System.Security.Cryptography.Pkcs.dll;
-          System.Security.Permissions.dll;
-          System.Windows.Extensions.dll" />
+      <!-- Exclude a dependency that we don't want to expose. -->
+      <_DisallowedReferenceAssemblies Include="System.Net.Quic.dll" />
       <_AvailableRuntimeRefAssemblies Include="$(RuntimeTransportReferenceDirectory)*.dll"
           Exclude="@(_DisallowedReferenceAssemblies->'$(RuntimeTransportReferenceDirectory)%(Filename)%(Extension)')" />
     </ItemGroup>
@@ -140,18 +134,22 @@ This package is an internal implementation of the .NET Core SDK and is not meant
     </JoinItems>
 
     <ItemGroup>
-      <!-- Again, ignore ref/ assemblies provided in the transport package that we don't want in this package. -->
+      <!--
+        Grab full dependency closure but exclude Microsoft.NETCore.App.Ref assets (avoid duplicates) and
+        Microsoft.Internal.Runtime.AspNetCore.Transport assets (almost all added just below).
+
+        Filename exclusions are due to implementation assemblies creeping into the closure. Reference assemblies
+        for all but System.Security.Cryptography.Pkcs are available in the transport package.
+      -->
       <AspNetCoreReferenceAssemblyPath
           Include="@(ReferencePathWithRefAssemblies)"
           Exclude="
-            @(_ReferencedRuntimeRefAssemblies);
             @(ReferencePathWithRefAssemblies->WithMetadataValue('NuGetPackageId', 'Microsoft.NETCore.App.Ref'));
-            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'Microsoft.Win32.SystemEvents'));
-            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.Drawing.Common'));
-            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.Net.Quic'));
+            @(ReferencePathWithRefAssemblies->WithMetadataValue('NuGetPackageId', 'Microsoft.Internal.Runtime.AspNetCore.Transport'));
+            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.Diagnostics.EventLog'));
+            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.IO.Pipelines'));
             @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.Security.Cryptography.Pkcs'));
-            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.Security.Permissions'));
-            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.Windows.Extensions'));" />
+            @(ReferencePathWithRefAssemblies->WithMetadataValue('Filename', 'System.Security.Cryptography.Xml'))" />
 
       <AspNetCoreReferenceAssemblyPath
           Include="@(_ReferencedRuntimeRefAssemblies->'$(RuntimeTransportReferenceDirectory)%(FileName)%(Extension)')" />