the user running fossil needs permssion to read and write
the fossil disk partition, and do whatever is required
(typically connect over the network) to venti, if that's being used.

fossil then imposes access restrictions on its
clients when they access files through 9P connections,
including connections by the user running fossil (who has
no extra permissions when accessing that file system structure)

venti currently imposes few restrictions, except that
clients need to know the protocol and some scores (to read).
to secure the fossil+venti combination to a level
similar to the old file server you'd probably want
to prohibit all but fossil and authsrv-related connections
to the file serving machine; in particular venti wouldn't
appear directly on the network.