Looking at these components, currentUser?.groups is not reliable anyway, since it only includes visible groups for the user, and the groups that they are in that impact permissions may not be serialized here:
We get around this in core/plugins by doing stuff like this in the current user serializer:
But obviously, this is not available to theme components/themes and their settings.
Hmm not sure, will have to think about this. If you truly meant everyone, then it would need to change to both logged_in_users AND anonymous_users . This was the main problem with everyone as stated in the OP – some people took it to mean only logged in users, others took it to mean logged in + anon, and it was very situation-dependent.
I chose the “only logged in users” interpretation because that was safer from a security POV.
Nope, just didn’t think about theme components/themes and their settings and how they would be impacted by this change, I was mostly focused on site settings. Stuff like this especially will be very hard to find, since it’s not even using the AUTO_GROUPS const:
Anyway, I will think up some solutions to these issues, and I won’t move this change along to Stable until I figure them out.