we get this error:
Validation failed: Permissions can't set read permissions on InvitationRequest+*template to Anyone because incompatible read permissions: Anyone on InvitationRequest+*template and Anyone signed in on InvitationRequest
in a nutshell, when A.reader = auth, then sometimes you want to force A+x to be restricted to auth, sometimes you don't. right now, we always do. need design around this.