[p4] Security question: super-limited account ?

[G Barthelemy]

Why not setting up a separate Perforce server, which would be the only
one that your external guy could access via VPN. Call it the "customer
facing" Perforce server. This could be done quite cheaply too.

You then setup one or more remote depots on it that would point to
your production server, and in particular to a "customer release"
branch on which you would publish exactly what you decide the external
guy should have access to.

Remote depots are read-only and access to the metadata of the source
server isn't possible either, so that should answer those security
concerns.

-- 
Guillaume