If the SG is shared with other project using RBAC mechanism in Neutron, users from the target project can see and use such SG but can't modify it by default as by default modifying SGs is only allowed for admin and owner of the SG: https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L153

But such user who just see SG as shared with them can still create or delete SG rules in such SG because for the SG rules there are other API policies and those don't check owner of the SG: https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L214

Creating SG rule is like modifcation of the SG really thus IMO it should by default mimic API policies for the SGs and creation/deletion of the SG rules in such case should be allowed only for admin and owner of the SG. To do that we should change our default API policies for "create_security_group_rule" and "delete_security_group_rule" to "rule:admin_or_sg_owner"