(no title)

It seems there's an expectation that ordinary ArgoCD users don't have (write) permissions to the cluster, and handling permissions is delegated to the checks you have on your git repos.

It does feel like a shortcut that limits the situations where ArgoCD can be used, but I can see how this could have been justified during the design process.