Clarify profile permissions
The profile permissions (listings, listings and forms, view/create/edit) are quite vague and confusing, even for seasoned devs like myself. Most of them don't have descriptions nor warnings. This is at least in Drupal but maybe others as well.
For instance, in the code "CiviCRM: profile listings and forms" is described as "all powerful". And in the guide https://docs.civicrm.org/user/en/latest/initial-set-up/permissions-and-access-control/ it doesn't really clarify that this is a dangerous permission for anon/authenticated users. In fact, it even implies that anonymous roles are given this permission!
But ironically, "CiviCRM: profile create" sounds dangerous--can the user create forms?--when in fact it just means they can fill out a form.
It wouldn't be hard to just clarify these for everyone.