Replace ImageDecoder::set_limits with ImageDecoder::set_allocation_limit

[fintelia]

The goal of this PR is to give the Limits struct a single purpose of controlling limits for ImageReader while the lower-level API directly expects the caller to check dimensions (and output buffer sizes) so the only remaining limit is memory allocation.

This also makes the concept of strict limits (if we add any) clearer. Now the ImageReader is responsible for figuring out which limits can be supported and directly returning an error if necessary. No more need for every decoder to check its supported limits against the requested ones.

Another inspiration for this PR was the idea from #2708 of having a shared Arc<AtomicU64> for the allocation limit. In particular, in a followup we could switch things so that set_allocation_limit took an atomic limit, while having the higher-level Limits object keeps its existing non-atomic max_alloc field. The interfacing between the two could then be fully encapsulated within the ImageReader type.

[197g]

I think we still want a type of sorts around the primitive type, be it just to intentionally get rid of its Copy impl. (Not that it should be non-exhaustive like the other structs).