Only some "Legal Documents" must be in the root of all repositories

I'm using the term "legal document" very loosely to mean files like README, LICENSE, CONTRIBUTING, CODE_OF_CONDUCT, NOTICES, SECURITY, AI_POLICY, etc.

Our recommendations in terms of how these files are represented needs to be updated. Our current recommendations were drafted some time ago and reflected the best advice of the day, based on the services that were available at the time and the manner in which we leveraged them.

GitHub has a feature by which organisation-wide defaults can be provided for these (and other) documents, which relieves our committers of the requirement to add and maintain these files. I assume that our GitLab has a similar feature (but lack relevant experience).

I tend to think about this from the perspective of somebody forking one of our project repositories.

I believe that the README, LICENSE, and NOTICE files are specific to each individual repository and must be in included in the repository root. When a repository is cloned, the licence does not change and we should take every necessary step to reasonably reinforce and inform adopters of the terms. Likewise, all source files must -- when technically feasible -- include a copyright and licence header.

The CONTRIBUTING, CODE_OF_CONDUCT, SECURITY, and AI_POLICY (see #26) files are project/EF specific. A team that forks one of our project repositories will likely have their own policies regarding contribution, conduct, etc. In fact, we probably don't want to include our policies in these repositories to avoid confusion downstream.

Am I missing something important?