Description of problem:
Projects currently support restrictions on who can access them by assigned roles to projects that Users need to have in order to be able to access.
This is problematic, in so far as it is impossible to restrict access to Projects in the underlying git repository as a git repository can only be secured at the repository level. Thus the additional restriction in the UI can be easily circumvented.
If a project needs to be protected from unauthorized access; it should be placed in a separate repository.
Version-Release number of selected component (if applicable):
I am afraid restrictions on organizational units also don't make much sense from the same reason. Correct me if I am wrong, but git does not care about any org. unit above its repositories. So, when someone sets the restrictions on org. unit in a good belief that all included repositories are safe now, it takes effect in UI only and anyone with the knowledge of repositories names can clone them anyway.
This requires further analysis and clarification from PM. Requesting it to be deferred to 6.2.0.