I am reviewing https://github.com/discourse/discourse/pull/6877 by @maja.
The particular condition we are protecting against is:
- category (authors: read)
- subcategory (pilots: read)
What this means is that pilots are not allowed to see anything in the category yet have been granted permissions in the subcategory so something is fishy 
The condition:
- category (authors: read)
- subcategory (pilots: read, authors: write)
Is still 
after this new validation.
The tricky thing though 
is that we no longer will allow:
- category (trust_level_3: read)
- subcategory (trust_level_4: write)
This particular edge case gives me pause, there is an easy enough work around … you would have to explicitly change
- category (trust_level_3: read, trust_level_4: read)
Given the OP is in a pretty bad state I say we see how the new restriction shakes up. FYI @HAWK @jomaxro