Default target project for merge requests should be source project for merge requests from private forks
Problem to solve
If I fork a public project, and make my fork private, when I create a new merge request it targets the public project by default. This exposes my private work by default. If I am working on a confidential change, like a security fix, this default makes it easy to leak a security issue.
Further details
We are working to improve the security process, and this default behavior is blocking progress https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/8614#note_255712183
Proposal
If the source project of a new merge request is a fork, the new merge request will automatically target the parent project in the fork network.
If source project has more restrictive visibility than the parent project, the target project of the new merge request should be the source project.