If the box for "X.Org security team -- upstream and vendors" is ticked, the default assignee remains the xorg-team mailing list. That list is an open list, thus circumventing the restriction put on the bug in the first place. This can be worked around by assigning the bug to a specific person instead (or xorg_security), but some sort of warning would be nice. Or even better, a restriction of xorg-team not being the asignee or QA owner for any restricted bug.
Yes, we should have this. Sadly, it seems bugzilla doesn't really have this functionality, so it'll need an extension or upstream fix.
*** This bug has been marked as a duplicate of bug 61434 ***
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.