Fix DB paths, add auth to sensitive endpoints, misc bug fixes

- scheduler.py: Use full path for scheduler_state.db instead of relative name
- recycle.py: Use full path for thumbnails.db instead of relative name
- cloud_backup.py, maintenance.py, stats.py: Require admin for config/cleanup/settings endpoints
- press.py: Add auth to press image serving endpoint
- private_gallery.py: Fix _create_pg_job call and add missing secrets import
- appearances.py: Use sync httpx instead of asyncio.run for background thread HTTP call

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

web/backend/routers/stats.py

@@ -396,7 +396,7 @@ async def update_setting(
     request: Request,
     key: str,
     body: Dict,
-    current_user: Dict = Depends(get_current_user)
+    current_user: Dict = Depends(require_admin)
 ):
     """Update a specific setting value."""
     app_state = get_app_state()