I post this, because I couldn't find these information at one place when I needed it, and I think it might be useful for somebody in the future. Please feel free to challenge or extend it. I'm happy to learn more or correct my errors.
We had quite a huge issue with different levels of permissions in different roles, different levels of access to the same data...
Few basics we need to be aware:
Different approaches to cover every possible weak-points on List level...
How can I change the permissions based on a managed metadata field? I.e. the Managed Metadata filed = Northern so set the permissions to an 'AD Northern' group or an SharePoint Northern' group.
I am sure I read an article about Microsoft discourage you from using Set Item Permission because it may have an effect on the overall performance as well as is more difficult to have an overview of the overall permissions.
Imagine having 100's of items ... does it not add another 100 separate permissions on top per item?
That's true. But sometimes you can't have the luxury of "nice performance" when business requirements dictate the project priorities