Scope all bulk deletes to current company and fix inverted ownership transfer

Bulk delete: filter IDs through whereCompany() before deleting in all
controllers (Invoices, Payments, Items, Expenses, Estimates, Recurring
Invoices). Previously, any user could delete records from other companies
by providing cross-company IDs.

Transfer ownership: fix inverted hasCompany() check that allowed
transferring company ownership to users who do NOT belong to the company,
while blocking users who DO belong.

Ref #567

app/Http/Controllers/V1/Admin/Estimate/EstimatesController.php

@@ -68,7 +68,11 @@ class EstimatesController extends Controller
     {
         $this->authorize('delete multiple estimates');
 
-        Estimate::destroy($request->ids);
+        $ids = Estimate::whereCompany()
+            ->whereIn('id', $request->ids)
+            ->pluck('id');
+
+        Estimate::destroy($ids);
 
         return response()->json([
             'success' => true,