When it’s a security review and something is on paper, there is now documentation of potential liability.

When it’s just a random staff member complaining they want to do something that makes it harder to onboard customers, there’s no proof of incompetence, and incompetence can still be blamed on the developers.

Does that mean that suggestions like that should maybe be sent by email, with multiple important people CCd?

Yes. But for what purpose will you be sending it - to cover your ass, or to make yourself feel superior?

Also keep in mind that the company has full access to your work email account therefore they could delete the email if they wanted to. Not likely they would in general but people have been known to do all sorts of things in situations where a written record could hurt them.

> Yes. But for what purpose will you be sending it - to cover your ass, or to make yourself feel superior?

What about for the purpose of improving the product you're (assumingly) full-time employed on?

Telling that that wasn't one of your hypothetical reasons :)

To suggest a feature or describe an issue on a product you're working on can be most easily done by just talking to people, for example by bringing it up in a design or planning meeting with the team and management. If it gets picked up it will get added to the schedule in some written form. It does not need to specifically communicated by email or written down, unless explicitly asked for.

Therefore the main purpose of writing the initial suggestion down is so there's a record of it for future use. Either to cover your own ass when management/auditors/lawyers get involved, or to say you were right and management was wrong and make yourself feel superior.

It might be not required to write it down but there's no need to say that doing so attributes to one anything beyond act of communication.