Wrong feature access levels set when creating private project

Summary

On a newly created private project, all feature access levels (except for pages) will be set to 20 (everyone) instead of 10 (project members). Only after interacting with the feature settings of a project the permissions will be set correctly.

Presumably this is just a minor inconsistency and doesn't allow for any exploits - at least I couldn't find any, but I'm not a security expert. However, this inconsistency was the sole reason why the "Include private contributions on my profile" feature even worked before it got fixed by !74826 (merged).

Steps to reproduce

1. Create a new private project
2. Open https://gitlab.com/api/v4/projects/{PROJECT_ID} and search for access_level
3. Note that they are all set to "enabled" (except pages_access_level which is correctly set to "private")
4. Open the settings of the newly created project
5. Select project visibility "public", switch back to "private", and lastly click save changes
6. Refresh/reopen the page from step 2. Now the feature access levels will be "private"

Step 5 side note:
Alternatively, only a single feature can be "disabled > enabled > save changes" and then only the access level of that feature will get changed.

What is the current bug behavior?

Feature access levels are set to 20 (everyone) when creating a new private project. They only get corrected, if the user interacts with the corresponding feature permissions or the project visibility in the project settings.

What is the expected correct behavior?

Feature access levels should be set to 10 when creating new private projects.

Relevant logs and/or screenshots

API response for a newly created private project:

{
  ...
  "issues_access_level": "enabled",
  "repository_access_level": "enabled",
  "merge_requests_access_level": "enabled",
  "forking_access_level": "enabled",
  "wiki_access_level": "enabled",
  "builds_access_level": "enabled",
  "snippets_access_level": "enabled",
  "pages_access_level": "private",
  "operations_access_level": "enabled",
  "analytics_access_level": "enabled",
  "container_registry_access_level": "enabled",
  ...
}

API response after doing "Public > Private > Save changes" in the project settings:

{
  ...
  "issues_access_level": "private",
  "repository_access_level": "private",
  "merge_requests_access_level": "private",
  "forking_access_level": "enabled",
  "wiki_access_level": "private",
  "builds_access_level": "private",
  "snippets_access_level": "private",
  "pages_access_level": "private",
  "operations_access_level": "private",
  "analytics_access_level": "private",
  "container_registry_access_level": "private",
  ...
}

Output of checks

This bug happens on GitLab.com.

Possible fixes

(Presumably) The Project Create Service should ensure that the feature access levels are set correctly, if they are not explicitly set in the request.