I can understand that phabricator needs to create databases upon installation, and upon upgrade, which is why you've provided the ability for this via:

./bin/storage upgrade --user phabricator --password <pass>

What I'd like a bit of clarification on is what would be a better practice than doing this:

mysql -u root -p
GRANT ALL PRIVILEGES ON *.* TO "phabricator"@"localhost" IDENTIFIED BY "<pass>";
FLUSH PRIVILEGES;
EXIT;

Which seems to be how phabricator would be happiest. I could go through and instead of using *.* set up for each phabricator_<schema_name>.*, however I'd need to then know to do this upon an upgrade if a new schema was created.

Specifically, it would be nice to know what permissions are absolutely required for operation (rather than ALL) vs. what permissions are required for upgrade (which I assume the default use case is to always upgrade via the root mysql user).

For my current install, phabricator is the only tenant on the mysql instance, but it still doesn't seem like good practice to have this be wide open permissions.