Actually the each issue security scheme might be the way to go. When the issue is resolved assign a default security scheme and delete the issue specific scheme. This would help to automatically clean up the issue security schemes..... Still would be a lot of them, but at least they would get cleaned up.

Here's an example of a listener I use to change the security level on production defects to make them public:

import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.issue.MutableIssue
import com.atlassian.jira.issue.security.IssueSecurityLevelManager
import com.atlassian.jira.issue.security.IssueSecuritySchemeManager
import com.atlassian.jira.event.type.EventDispatchOption
import com.atlassian.jira.issue.CustomFieldManager
import com.atlassian.jira.issue.fields.CustomField

def issue = event.issue as MutableIssue
def issueManager = ComponentAccessor.getIssueManager()
def customFieldManager = ComponentAccessor.getCustomFieldManager();
def cf = customFieldManager.getCustomFieldObjectsByName("Exists in Production?")
def existsInProdValue = issue.getCustomFieldValue(cf[0]) as String

if ((existsInProdValue == "Yes" && issue.issueType.name == "Defect") || issue.issueType.name == "Service Request")
{
def issueSecuritySchemeManager = ComponentAccessor.getComponent(IssueSecuritySchemeManager)
def issueSecurityLevelManager = ComponentAccessor.getComponent(IssueSecurityLevelManager)
def schemeFromName = issueSecuritySchemeManager.getSchemeObjects().find { it.name == "Allow Public View" }
def projectKey = issue.getProjectObject().getKey()
def schemeFromProject = issueSecuritySchemeManager.getSchemeFor(ComponentAccessor.projectManager.getProjectByCurrentKey(projectKey))
def securityLvl = issueSecurityLevelManager.getIssueSecurityLevels(schemeFromName.id).find { it ->
it.name == "Public"
}?.id

def user = ComponentAccessor.getUserManager().getUserByName("jiraadmin")

issue.setSecurityLevelId(securityLvl)
issueManager.updateIssue(user, issue, EventDispatchOption.DO_NOT_DISPATCH, false)
}

@scott_boisvert

Not exactly. Using a security level with a a "user custom field value" should allow for 1 level that is dynamically set based on that custom field.

Just add the mentioned users to the field and you basically have issue specific permissions (for viewing)

As per the administrative requirement issues must not be visible to all the members. Only the person involved should be able to see it also they want the flexibility to tag/comment peope to make issue visible to them.
This is the reason it is becoming complex for me. 

I thought this might be the answer but sometimes it’s just a „we always did that like this“. 

I‘ll try to loop one of the scripters in. 

Thanks a lot for your help! :) 

Make sure u also think of your security levels then. Providing them with the browse permissions basically gives them access to all issues (within their security level) and I don't think you'll want them to have full access by being mentioned in a single issue right?

Have u thought of giving them all the browse permission but then dynamically setting the security level as they are mentioned? (perhaps by adding them to a custom field)