With GDPR it's more important than ever that we can restrict access to information that users do not require.  Therefore, I think it should be a standard feature that we can limit access to specific record types for groups of users.  Regardless of role, it would help if we can assign users to restriction groups and then assign to those groups settings like "Can See Requirements", "Can see pending requests".  Then the user assigned will get no results if they search for a pending request or requirements.