Access control: the ability to constrain developers to operating in specific areas of the tree, implement branch-based policy restrictions, as well as to enforce policy such as tagging of commits for developers working outside their normal areas. Implementing these via hooks would not be a regression from what we currently do in CVS.
There are two ways to do this in Subversion.
The first is to implement ACLs in whatever application is providing access to the repository over the network. For example, you can use Apache ACLs to control access to certain parts of the tree.
Alternatively, you can use a pre-commit-hook script. Run by Subversion prior to every commit, this script can determine the paths that are being affected by the commit, who the authenticated committer is, the contents of the log message, and so on. This allows you to put in place more complex ACLs than those permitted by the first approach. For example "Anyone in the 'mentee' group must have an 'Approved by:' line in the commit message.
Hg is distributed and has a "a repository per branch" feature meaning that every developer has his/her own copy of the repositories he/she has an interest in as a set of private directories.
These copies can be published thus are also clone/push/pull-able.
Access control to these will be controlled by an HTTP server (the preferred way of publishing) thus will use the server way of authencating access.
For the reference trees, I'd expect the Patch_Queue_Manager to deal with write access.
An acl extension was added recently to Hg. It allows for selected part for a given repository to filter what will be accepted when considering incoming changesets. See there for details.
Git includes a hook that can be used for doing ACLs.
A single Monotone database can contain any number of branches, revisions and files. A server (or any user) can serve any subset of the branches contained in his database. Read/write-permissions are currently managed using Lua hooks (specifically get_netsync_read_permitted (branch, identity) and get_netsync_write_permitted (identity)), or using the default hooks that are based on two permission files.
A fully featured ACL system (branch-based policy restrictions and much more) is in the works and will be available "soon".