As I learned in T326752, members of acl*sre-team are allowed to edit acl*security and thus can join any of it's subprojects.
Thus I propose to require 2FA to be enabled for members of acl*sre-team, since we require 2FA to be enabled for members of acl*security.