Interesting, would you agree with: ‘if a user can create an account, the app should never hit production without privacy rules set up’. I can think of a couple of very basic examples that would require no privacy rules but they basically end at the point that a user can create an account!
If pigs could fly 