Phabricator Spaces are policy containers for groups of objects or, in plain English, areas where just some users with the appropriate permissions can access and work. Think for instance about spaces for Security, Procurement, Fundraising, Legal... accessed only by the members of those teams and optionally special guests. The full specifications are described in https://secure.phabricator.com/T3820#116875
The Phabricator maintainers expect to have a first version of Spaces ready by the end of June 2015, probably to be fine tuned during July after the first users report feedback.
Once this feature is implemented, the request of a new space should be a simple process, and could be possibly be handled by the Project-Admins process to request a new project. AffCom, Community Liaisons, and Fundraising Tech are the first cases that come to mind, and it is clear that these teams handle some private information combined with their public activities.
The implementation of Spaces might imply the deprecation of the Security extension that we are running locally in Wikimedia Phabricator, which currently allows the handling of security bugs and special requests to Operations. To be discussed.
The Developer-Advocacy team is driving this initiative in Wikimedia's side. We are pooling a budget in the Community Engagement department to fund this development. See the WMF Short Form Business Case for Phabricator Spaces.
There are teams dealing with sensitive information that need to work with private tasks. Their theoretical options are:
Request a special security policy for their tasks, which will imply a new entry in the Security dropdown menu. Just like the Security team now or the Operations team as soon as RT is migrated, they will need to work privately in a fully open context. They will be responsible of maintaining the list of project members with access to the private tasks, and also who else can access to the tasks via CC. The Wikimedia Phabricator maintainers will not be responsible of any accidental leaks due to human errors messing with policies or users.
Note that we don't have any process to address a request like this. If a team steps in, we will need to discuss the proposal from scratch.
Wait until upstream implements Spaces. Then you will be able to request an own namespace with default private policies fitting your needs. You will manage who can access to these namespaces and you will be able to create your projects within that namespace.