Gerrit has fine-grained per-branch ACLs. I haven't been able to find documentation for access control in Phabricator. For feature parity with Gerrit, we'll at least need to lock down approval rights to certain user groups on a per-branch basis, with wildcard support (for all branches, grant approval rights to group X, but for branches of the form wmf/*, grant approval rights only to the deployers group).
See also: T184: Inherited settings and access control for code repositories