There should be a more configurable permissions setting that controls CO Person visibility, probably via CO Settings. eg:

• CO Admin: Only CO Admins can see CO Person records
• COU Admin: COU Admins can see CO Person records, plus CO Person Role records they manage
• Any Admin: Any CO or COU Admin can see any CO Person and CO Person Role record
• CO Group: Any Admin + members of the Group (intended for helpdesk, maybe create a special helpdesk group instead?)

It might make sense to introduce a new "Permission" object to abstract this out here and in other places (like Enrollment Flow Authz). Though Permissions would still be managed in the relevant UI (eg: CO Settings), the model abstraction would handle rendering a View Element and processing the Permission at run time.