Thanks, guys, that makes it clear!
One last question, though, before I mark this as solved ...
I want to make sure that no one mistakenly exposes a private page to the general public. If I ask them to remember to as "private:<page_name>" then surely one day someone will forget the namespace.
Can I invert it? That is, can I ask users to use "public:<page_name>" and if they forget the namespace the worst that happens is that non-registered users see what looks like a broken link (or a "don't have permission" page & hopefully they will email me (especially if I tweak the page text to ask them to do so))?
Would an ACL like this work?
public: @ALL 1 # read access
public: @user 2 # logged in users can edit public pages
* @user 2 # logged in users can edit non-public pages
Thanks in advance ...