I vaguely recall that I've brought the issue up earlier, but I'm not sure. Anyway, here's my suggestion. It's based on the rules srb had in his pikex repo, and also what we use at Roxen:
o Main version branches are defined as those containing only [0-9.]. They can not be rebased, created or deleted remotely by anyone, only committed to. To create a new version branch someone has to log in locally.
o Personal branches and tags beginning with <username>/ can be created, deleted and rebased by that user, and other users can commit to them.
o Branches and tags beginning with <username>/x- are similar, except that other users can not change them at all.
o Branches and tags beginning with scratch/ may be changed freely by anyone with push access.
o Other branches, i.e. those not containing "/", are considered to be common topic branches. They can be created by anyone but not deleted or rebased. The same applies to other tags.
o At Roxen, tags matching those produced by the dist making process can only be created by the dist builder account. In Pike we probably can't have such a restriction though.
I've got a modified version of the update hook example script from the git dist that implements this, if it's of any interest.