I have previously raised this point but it didn't get much attention.
We are very keen to share workspace wider with our users however we want to do this in a controlled way using curated projects. We don't want all users to have complete un-curated access. We wouldn't give everyone access to ad-hoc and workspace is now more powerful.
However we have found that users have found a way to bypass their access levels and create un-curated projects when they shouldn't be able to. They can do this just by clicking the 'Try in workspace' button in R&A. This gives them a completely unrestricted access to workspace when they shouldn't be able to. When we have external agencies able to do this then it is potentially breaking all sorts of data security processes.