(See second half of https://secure.phabricator.com/T8376#120500 - join https://secure.phabricator.com/tag/space_test_users/ and then you'll be able to view https://secure.phabricator.com/T8514 which demonstrates this issue)
If you have a private space and you put an object in it, the object's visibility policy can still be 'Public' (and this shows in a very visible location at the top of the object's page). But you can't see it unless you also meet the space's policy - I think this is very bad because it will confuse users who won't recognise/understand what the object being in a private space actually means for visibility policy.
Basically I think that users are going to expect that if they see 'Public', the information they're viewing is public. In reality, Phabricator is going to be expecting users to understand how space visibility policy is also required to view the object, not only the object's own visibility policy. Given that some users in very trusted positions don't seem to understand basic object-level policy, I think this is a very bad assumption, and that this should block our own adoption of Spaces downstream for anything actually confidential.