We should change things so that user defined roles can only have privileges targeting the database they are defined on (except for roles on the admin DB). This would mean that non-admin DB roles could only have explicit privileges that target the current db or an exact namespace in the current db, and could only inherit from roles defined on its db.
This would not prevent granting roles from one db to a user of another db.
I think we should do this because:
a) It doesn't actually make the system any less powerful or expressive - you needed grantRole on the admin db to grant privileges targeted outside a UDR's db anyway, so the privileges required to grant a user the privileges you want won't change
b) it makes the system more similar to how it was in 2.4
c) The main reason: it makes the system easier to reason about, explain, and document
d) it'll be easy for us to loosen this restriction in the future if we decide it was a bad idea (but hard for us to go the other way).
e) it'll be an easy change to make to the code to implement this.