Add columns property to ActivitySprunje class

[Jearnest94]

Fix so you can't download a users hashed password

[Copilot]

Pull request overview

This PR adds a security fix to the ActivitySprunje class to prevent user password hashes from being exposed through the activities API. When activities are joined with user data, only explicitly whitelisted columns are now returned, excluding sensitive fields like password hashes.

Key Changes

• Added a $columns property to ActivitySprunje that whitelists safe columns from both the activities and users tables
• Ensures password hashes and other potentially sensitive user fields are not exposed when querying activities

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[lcharette]

I merged it for V5 as a quick fix, but I think it doesn't fully solve it. Any other Sprunje with a left join might include the sensitive data. It's not included when the JSON is returned as this one invoke the model "hidden" part. So I think CSV should call "toArray" in the background instead.