Say that I have a category A where only a certain group X has Create / Reply / See access.
This might sound stupid but I must ask, sorry for my ignorance.
Can sensitive topics be held within A by X members with 100% certainty that no users out of X may have access in any way to those topics?
Have you experienced any way to hack through a category security?
There is no way someone else, except from group A, to see the closed category.
Or an administrator.
They can always see everything.
Post are stored in the database and Discourse is using PostgreSQL as the software that runs the database.
So the following statements relate to access that starts from there.
Since the database is a set of files anyone who has OS level access, e.g. bash prompt, and access to the files making up the database has access.
Anyone who has a dump of the database has access.
Anyone who has access to the backup files. The backup files might have additional builtin protections that limit the access, but one needs to check that, e.g the backup system encrypts the files during backup.