Hey z3bra I like your namespace /ns/<PROJECT> concept. I do believe that this is the way to go.
Yes, sadly umask is pretty limited and the access control of chmod/chowm is very limited.
There is more information about ACLs in here: https://wiki.archlinux.org/index.php/Acc...trol_Lists
I believe these ACLs are important when it comes to security, since they allow for a more dynamic approach. (Inheritance)
They do however bring risks, in such that if the parent changes all subdirectories and files will also be changed (And possibly unreadable by someone).

I suggest you use https://wiki.archlinux.org/index.php/Fil...and_lsattr chattr in order to lock the attributes of your specific namespacae after making sure your permissions are correctly set up! :)