Enable "Limit CI_JOB_TOKEN access" by default
Proposal
By default, the ci-job-token created in a pipeline has the ability to impersonate the user and access other projects. This can lead to the unintended exposure of sensitive data. For example, a user may create a test project with nothing sensitive in it to test CI features. They may avoid normal precautions in this test project and do something that exposes a ci-job-token. The user may not realize that that token can then be used to access sensitive data, like CI variables, from other projects they maintain.
We do offer the ability to scope the ci-job-token so that it cannot be used to move laterally between projects. Our documentation clearly recommends that this be enabled, yet we do not enable it by default:
This setting is disabled by default for all new projects. It is recommended that project maintainers enable this setting at all times, and configure the allowlist for cross-project access if needed.
Security best practices should be enabled by default, as it is unlikely that most administrators will be aware of all of these recommendations and take the time to configure them.
This issue is to propose turning this feature on by default.