Two cents from the API dept:
In order to quickly and efficiently operate, the API must know what *read* rights the user has *before* performing db page queries.
Example: get 100 page titles Normal operations: API has to query with limit 101, add each to the result. If there is 101st row, more data is available, so add "from=nextTitle" to let the client know how to get more results.
* If "can read" rule is page-based, API has to check each page title before adding to the result. So the user may get < 100 titles, even nothing, but still get a "from=xxx" to continue paging. But what if that xxx is also non-visible? API may perform another query, try to find the next readable title... In our current scenario, this might mean the entire NS will have to be read until the user realizes that the whole NS is blocked for her.
Proposed solution: Only allow the entire NS to be hidden from a everybody/group/user. In such case, the API will refuse to get data for any pages in that NS. In case there is a white list allowing a specific page to be visible (like Main or Login), API ignores it as well, unless the page is asked specifically by name.