Fix DB paths, add auth to sensitive endpoints, misc bug fixes

- scheduler.py: Use full path for scheduler_state.db instead of relative name
- recycle.py: Use full path for thumbnails.db instead of relative name
- cloud_backup.py, maintenance.py, stats.py: Require admin for config/cleanup/settings endpoints
- press.py: Add auth to press image serving endpoint
- private_gallery.py: Fix _create_pg_job call and add missing secrets import
- appearances.py: Use sync httpx instead of asyncio.run for background thread HTTP call

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/backend/routers/cloud_backup.py

@@ -25,7 +25,7 @@ from pydantic import BaseModel, Field
 from slowapi import Limiter
 from slowapi.util import get_remote_address
 
-from ..core.dependencies import get_current_user, get_app_state
+from ..core.dependencies import get_current_user, require_admin, get_app_state
 from modules.universal_logger import get_logger
 
 logger = get_logger('CloudBackup')
@@ -837,7 +837,7 @@ async def get_config(user=Depends(get_current_user)):
 
 
 @router.put("/config")
-async def update_config(update: CloudBackupConfigUpdate, user=Depends(get_current_user)):
+async def update_config(update: CloudBackupConfigUpdate, user=Depends(require_admin)):
     """Save cloud backup configuration and regenerate rclone.conf."""
     existing = _load_config()
     update_dict = update.model_dump(exclude_unset=True)