Keep in mind, if the risks are high I strongly recommend running a second instance, we do so as well and have our internal, for the company only, discussions in a private instance. It provides a significantly higher barrier and internal company memos don’t accidentally find themselves on meta this way.
No matter what we do to clean up category permissions the vector of “user picking wrong category… disaster” is not something any UX can completely eliminate.
The category permission stuff re inheritance is definitely something we will fix though. At a minimum not allow any cases to save where child is less restrictive than parent.