Resolution: Tracked Elsewhere
Probably can be said for many atlassian products, but occasionally you need negative permissions on a repository or branch.
project groupA read
-repo (don't want sub-groupA to see some sensitive repo)
--branch (or don't want sub-groupA to see some sensitive branch)
One workaround is to make an entire new project.
Another workaround is to remove the project groupA read and do repo groupA read on the other remaining repos.
no access permission
no read permission