[Waterluvian]

This feels like a “well they should have already been experts” answer, which isn’t really an answer.

If a Salesforce project started with zero permissions and made you add them in, and didn’t have any big blanket “*” permissions, I’d eyeball the implementers a wee bit more.

[mym1990]

For a project that has real world consequences in regards to private data, yes, they should have already been experts. There are about a million opportunities between the start and end of a project to evaluate and address data concerns and get the sharing and visibility model right. The permission model in Salesforce is not as black and white as zero permissions or big blanket * permissions. With a few exceptions for system administrators, Salesforce makes you make the decision of what to share with who whenever new objects and fields are created.