projects/tags/hashtags/etc. (synonymous with eachother?) are AIUI sometimes used as ACLs, sometimes used as task categories (a la bugzilla component), and probably in other ways I'm forgetting.
some tasks are in no project at all. e.g. phab:T599. should that be avoided?
some tasks are public but have projects that have restricted access. e.g. phab:project/view/29/ AFAIK, the only way to subscribe to/watch a project is to first join that project. that project says:
This group should reflect the 'ops' group in admin.yaml.This group is also used for permission-y type things in places, please don't add folks who are not part of operations.
maybe we should have a policy that any project which has tasks defaulting to open viewing/editing should not also be used as an ACL. if teams need an ACL then they can have a separate dedicated project to be used as ACL and nothing else. are there existing projects that have duplicates like that? one for team membership/CC list/etc. and a separate one for ACL usage. if we do this then we should have a new color coding, symbol, etc. to mean "ACL". still I would worry about people accidentally choosing the wrong (too-broad) project among a pair of projects. (or not noticing that someone else chose the wrong one)
or fix phab to allow non-members to be watchers.