I’m in agreement. In the past, I had a security group for “read only” that provided access to just general trackers, dashboards, and reports. But didn’t provide access to more sensitive data… I had additional security groups for granting access to any type of financial trackers, methods of manufacture, etcetera (it all depended upon what upper management desired to have restricted from general view). In some cases, even specific data within trackers were security controlled… such as part costs, etceteera.
Because every company differs in what they consider confidential, a generic “read only” setting at the user account level would be wholly inadequate.
I would also say that, from a practical standpoint, what you allow an auditor to have access to should be very focused and limited. Why provide them access to more than what they actually need? That’s just opening one’s self up for unnecessary headaches.