The best practices for organizations help page suggests “we recommend creating an
all-employees team and granting it appropriate access to all but the most top-secret repos”. But that suggestion seems to ignore the significant problem of how to get every new org member added to such a team.
Note that I am not trying to exclude “org members” that are contractors so there is no need or desire to currate which org members get added to this team. I am just trying to exclude some repos from org-wide read access. gitlab supports not just public and private repos but “internal” repos that provide org-wide access (without having to apply this to all repos).
Having a pre-built “team” that is “entire org” would be helpful.