Email Address should not exist on Person

Summary: Currently, the Person record (the view of an Identity in a Space) contains that Identity's email address. We are going to significant effort to hide that email address from end users. But it really shouldn't be there in the first place.

The presence of Email Address on Identity is basically a historical accident dating back to the early days of the system, before I really understood the architecture completely. By now, it's duplicate data -- the email address mainly lives on Identity, where it belongs, which is not user-visible.

It is still needed on Person solely due to historical workflows: when I invite someone by email address, they don't have an Identity until they accept the invitation, so the Person record is the only place we're keeping it. But that's really a bug that needs to be fixed anyway -- we should be creating an Identity for this email address as soon as we send an email to it, so that we can record it if they tell us not to send any more emails, period. (Which is unfortunate, but we need to add that capability anyway, for legal reasons as much as anything -- there needs to be a "don't send any more emails from Querki" button.)

Important: we are still using the Email address on Person to figure out whether an invitee has already been invited into this Space. That is, we do specifically need to be able to collect, at the system level, all of the email addresses of all of the members and invitees of this Space. But there might be a better way to do this.