Thanks, that makes sense.
It is not so much that I distrust a specific person I have chosen as a moderator. I am trying to choose the least-powerful role that matches the job I actually want them to do.
Thinking about it more, I think there are a few separate needs here which should not be mixed together:
- general topic organisation / community tidying;
- handling flags in a specific category;
- ordinary deletion of a user’s own posts;
- more sensitive deletion/revision-history handling.
For example, if the main need is topic organisation/community tidying, then TL4 may be more appropriate than category moderator because it avoids giving access to the flag review queue at all. If I actually need someone to review flags in a category, then category moderator is the relevant role, with a clear local policy that they should not handle reviewables involving their own posts.
My remaining question is whether a category moderator can see which user raised a flag against them when their own post is flagged.
I also take the point that a theme component should not be relied on as a security boundary, because it would mainly hide UI rather than change the underlying permission model.
So I think my practical options are:
- use TL4/Leader where I want trusted community help but not flag handling;
- use category moderator only where I genuinely want that person reviewing flags;
- keep ordinary own-post deletion separate from moderation permissions;
- keep permanent deletion/revision-history removal as an admin/full-moderation matter rather than something solved by category moderation;
- keep a written policy that moderators should defer flags involving their own posts.
That answers my question unless there is a stronger permission-level way to exclude self-authored flagged posts from a category moderator’s review queue, or unless the flagger identity is already hidden from the post author in that self-flag scenario.