Since notifications are stored in Redis, we can't expect relational
integrity: deleting a user will *not* delete notifications that
mention it.
But if we return notifications with missing bits (a `follow` without a
`user`, for example), the frontend will get very confused and throw an
exception while trying to render them.
This change makes sure we never expose those broken notifications. For
uniformity, I've applied the same logic to notes and roles mentioned
in notifications, even if nobody reported breakage in those cases.
Tested by creating a few types of notifications with a `notifierId`,
then deleting their user.
(cherry picked from commit 421f8d49e5d7a8dc3a798cc54716c767df8be3cb)
417bb2d31e