Comments of deleted documents can be viewed through REST API

Steps to reproduce:

1. Create a document named "Test" and restrict its view right (e.g., to admins) and add a comment to it.
2. Delete that document.
3. Create a new document with the same name with unrestricted view right.
4. Open <xwiki-host>/xwiki/rest/wikis/xwiki/spaces/Test/pages/WebHome/history/deleted:2/comments where <xwiki-host> is the URL of your XWiki installation as user who can view the new but not the deleted document.

Expected result:

The access is denied/nothing is displayed.

Actual result:

The comment is displayed.

While testing, displaying the deleted document itself didn't work due to an error while looking for child documents but the objects endpoint seemed to work, too. The issue seems to be that XWIKI-16285 only fixed the use case of the regular view action and didn't take the REST API into account. Note also that the REST API first requests the current version of the document (probably assuming that revisions can only be old revisions of existing documents) so this only works for requesting a deleted version of an existing document, further limiting the scope of the attack.