AGOL hosted data should have the same granular capability as layers in services hosted on SDE.
Be able to control, down to a specific username, (based only on login, not user level), whether users can update geometry, create, delete, and update values.
In other words, to further build upon https://community.esri.com/ideas/12164 There are often times you want people only to be able to update, not create/delete or move geometry.
It should also be simpler to have layers of varying sorts in one viewer. You login in with "editor" username, you can edit them or some of them. You login in with ReadOnly and you only can view the layers. That is what I have for my emergency ops viewer. The way I got around it was with using the Add Layer widget for Web App Builder Dev Edition to add services secured with other logins. Doing that with hosted feature layers stored in multiple different organizations was difficult and I ended up needing to bring them to my Org, a luxury I fortunately was able to have. And I kept most on premise in SDE token locked on the service. In general, I could see this being a very common pattern for enterprises and public agencies, particularly with a viewer like emergency ops where you combine many different agencies to one viewer and some people should be able to edit and some users not be able to.