We organize our code around technologies/tools/products, not around teams. Teams change more often than underlying technology. So, several teams may have repositories in a single project. If a team wants to make one of their repositories private, we can no longer use project-level permissions because there's now way to "turn off" a permission granted at the project level.
For example, we have a "SQL Server" project, for code relating to SQL Server. At the project level, we grant all users write access.
Someone has requested a "DBA" repository where our DBAs can commit SQL Server administration scripts. They don't want anyone to be able to read from this repository.
Now, we have to change the default access to all repositories in this project to "No Access", remove the all users "write" access, and update the permissions for each repository in the project to grant all users "write" access except the new DBA repository. In the future, we have to remember to apply these permissions on each new repository in the SQL Server project.
Ugh. What I want to be able to do is instead, go into the DBA repository permissions and change the permissions that all users have to be "None".