@jdreizler Your examples are one and the same.  You are granting access to projects by groups or users associated with roles / permission scheme.  The issue is you are currently providing access via a group that is applied to all users on the default role / permission scheme used by all projects.  I would suggest constructing your groups, roles and permission scheme in a way that will support your access policies.  This will then require some adjustments to each project but you would be set moving forward.

I suggest using project roles. You can still have groups, and the project admin would add the group or person to the desired role.  I normally have one permission scheme for all projects that way. All you need to do is publish a chart of the roles and what permissions they have. I have a role that can do everything, one can just browse, and one for someone that wants notifications for everything like a watcher for all issues. I have some others for special things like approving a CR, or transitions an issue from say testing to production. I do have one scheme that doesn't allow anyone permission for retired projects that someone may want to refer back to. In that case I add that person to the browse role while they need it.