There doesn't seem to be any policy for moving cards in a workboard. As long as workboards are visible, All Users (registered) can move them, unless I have missed something. It's not the Editable By policy for a project, neither for a task.
In projects where a workboard is maintained, the position of the cards might contain a lot of meaning for the developer team. It's not funny if overnight someone came and played with your workboard. It's even less funny if it was not even a game but an intentional statement, a difference of opinions, a protest, etc.
Wikimedia developers and product owners ask how can they protect their board so only the team gets to decide where the cards sit. In Trello and Mingle they are in control. We have no precedents of abuse in Phabricator so far, but looking at our history with Bugzilla I will not be surprised the morning we find a first precedent.
For a simple UI solution, and as long as workboards are part of projects, it would make sense that the Editable By policy of a project would define who can move the cards of the related workboard. It already defines who can edit the columns themselves.
Original report: https://phabricator.wikimedia.org/T1178