If you set `policy.allow-public` to true and force a repositories visibility to less than public you get a 404 response code instead of a 401 which prompts for auth details in git/mercurial.
You hit this: https://secure.phabricator.com/diffusion/P/browse/master/src/applications/diffusion/controller/DiffusionServeController.php;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$102
instead of this which you hit without policy.allow-public: https://secure.phabricator.com/diffusion/P/browse/master/src/applications/diffusion/controller/DiffusionServeController.php;348ca4207c1c5757a7f1797fa181d4d9bec2f09f$87
In other words, it seems that the repository fetch never throws the appropriate policy exception.