I’ve recently been added to a couple projects so I could help out, and I found that I could completely kick the project’s owner from it. Given exit permissions, I should not be able to completely take a project from the person who made it; this is a security issue. It looks like the person I was able to remove is still able to do the same to me.
Given that project editors have full access to a project, like .env file credentials, you shouldn’t be adding anyone to your project who you don’t trust enough to not kick you out of your own project. But having the flexibility to do so is sometimes useful for legitimate reasons.
Definitely seems like there should be a couple of different user roles for collaborators (or maybe there are and I missed it). Another approach (I think Reddit uses this for subreddit moderators) is to just make it so you can only boot people that are below you in the list.
You could clone the original project, rename the clone by appending “dev” to the original project name (e.g. original project: “project”; cloned project: “project-dev”), and then lock the original project. Invite members to collab on the cloned version and then update the original as needed privately.