Vary header should include Accept if a resource can be HTML and JSON

[lo48576]

Describe the bug

Dynamic pages that can return HTML or JSON (e.g., /users/{username}) should include Accept to Vary response header, but they don't.

This leads to wrongly cached user profile.
In my case, Cloudflare Tunnel caches a JSON representation for my profile page and returns it for normal browser access (including private browsing with no cookies and no browser caches).

To Reproduce

1. Get the user profile page with wget -qS -O https://{domain}/user/{username}.
2. See the Vary header. It is Accept-Language, Cookie.
3. Get the JSON version of user profile page, with wget -qS -O https://{domain}/user/{username} --header 'Accept: application/json'.
4. See the Vary header. It is still Accept-Language, Cookie.

Expected behavior

Vary header for those pages should include Accept header, since it returns different responses for different Accept values (typically for text/html and application/json (or application/activity+json for ActivityPub protocol)).

Screenshots

Vary header:

$ wget -qS -O - http://localhost:8080/user/nop_thread --header 'Accept: application/activity+json' 2>&1 | grep Vary:
  Vary: Accept-Language, Cookie
$

Cloudflare cache issue:

Instance

https://bookwyrm.nops.red/
(I'll purge and workaround the cache issue, so the JSON-returned-to-browser issue will become non-reproducible soon.)

Additional context

N/A