Re: "wary of creating two classes of GitLab employee with different levels of access to systems."
One of my engineers came from a company that didn't even have any infrastructure of their own, rather they just used cloud-hosted and 3rd party stuff for operations. The company's documents, including the passwords to pretty much everything, were stored in a Dropbox instance that everyone had access. Their reasoning was "We don't believe in job roles, if something needs to be done and someone has the skill to do it, they should be able to!", a philosophy that they snagged from another start-up. They were trying to claim that "This is how they make Linux!", completely ignoring how wrong that is. They reasoned that if someone was malicious or incompetent, they could just undo their changes and push the application back out to AWS Lambda.
And yes, this company is in Silicon Valley (Well ostensibly, they don't have an actual office and instead employees work from home and/or WeWork type spaces).
I figured that GitLab might be doing something equally weird.