Fix DB paths, add auth to sensitive endpoints, misc bug fixes

- scheduler.py: Use full path for scheduler_state.db instead of relative name
- recycle.py: Use full path for thumbnails.db instead of relative name
- cloud_backup.py, maintenance.py, stats.py: Require admin for config/cleanup/settings endpoints
- press.py: Add auth to press image serving endpoint
- private_gallery.py: Fix _create_pg_job call and add missing secrets import
- appearances.py: Use sync httpx instead of asyncio.run for background thread HTTP call

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/backend/routers/press.py

@@ -1075,7 +1075,7 @@ def cache_press_image(image_url: str, use_flaresolverr: bool = False) -> Optiona
 
 
 @router.get("/images/{filename}")
-async def serve_press_image(filename: str):
+async def serve_press_image(filename: str, current_user: Dict = Depends(get_current_user)):
     """Serve a cached press article image."""
     # Sanitize filename
     if '/' in filename or '..' in filename: