Mask hidden resource fields with data absent extension

[mattwiller]

Currently, hidden fields are simply stripped from resources when the resources are rendered into an API response. This is potentially confusing, and we could instead insert the Data Absent Reason extension with code masked to clearly indicate that the field is not being shown due to the user's access policy. To prevent information leakage, the extension should generally always be set as the value of that field when rendering the response, regardless of whether that field originally had a value. For nested fields, any intermediate nested objects should not be created to place the extension into if not already present — in this case it's acceptable to leave the entire absent parent field blank in the rendered resource JSON.