Did a casual grep of T603 just now
```
src/applications/differential/parser/DifferentialChangesetParser.php:908: // TODO: (T603) Probably fine to use omnipotent viewer here?
src/applications/diffusion/conduit/DiffusionGetCommitsConduitAPIMethod.php:244: // TODO: (T603) This should be policy checked, either by moving to
src/applications/diffusion/query/DiffusionSymbolQuery.php:266: // TODO: (T603) Provide a viewer here.
src/applications/diffusion/request/DiffusionRequest.php:390: // TODO: (T603) This should be a real query, but we need to sort out
src/applications/drydock/blueprint/DrydockWorkingCopyBlueprintImplementation.php:43: // TODO: (T603) Figure out the interaction between policies and
src/applications/maniphest/query/ManiphestTaskQuery.php:226: // TODO: (T603) It is possible for a user to find the PHID of a project
src/applications/maniphest/view/ManiphestTaskResultListView.php:63: // TODO: (T603) Eventually, we conceivably need to make each task
src/applications/metamta/replyhandler/PhabricatorMailReplyHandler.php:328: // TODO: (T603) What's the policy here?
src/applications/owners/storage/PhabricatorOwnersPackage.php:253: // thing to an Editor (T603).
src/applications/owners/storage/PhabricatorOwnersPackage.php:321: // TODO: (T603) Thread policy stuff in here.
src/applications/people/storage/PhabricatorUser.php:694: // TODO: (T603) Can we get rid of this entirely and move it to
src/applications/releeph/commitfinder/ReleephCommitFinder.php:33: // TOOD: (T603) This is all slated for annihilation.
src/applications/repository/storage/PhabricatorRepositoryArcanistProject.php:48: // TODO: Remove. Also, T603.
src/applications/repository/storage/PhabricatorRepositoryCommit.php:259: // TODO: (T603) Who should be able to edit a commit? For now, retain
src/applications/repository/worker/commitchangeparser/PhabricatorOwnersPackagePathValidator.php:18: // TODO: (T603) This should be policy-aware.
src/applications/repository/worker/PhabricatorRepositoryCommitOwnersWorker.php:109: // TODO: (T603) This is probably safe to use an omnipotent user on,
src/applications/transactions/storage/PhabricatorApplicationTransaction.php:1143: // TODO: (T603) Exact policies are unclear here.
src/applications/transactions/storage/PhabricatorApplicationTransactionComment.php:146: // TODO: (T603) Policies are murky.
```
I think this is good to take a pass through and clean up.