Tricky. It seems like it's generally a problem when a finalizer needs to access any other Cell, apart from some that are explicitly allowed by our ordering rules. (Which considers both the type and the zone.)
I do wonder if we should have some declarative contract at the beginning of the finalizer:
FinalizerAccesses<FinalizationGroup, JSObjectZone> assertCanAccess1;
or in the body
FinalizerAccesses<FinalizationGroup, JSObjectZone> assertCanAccess(this, obj);
that would boil down to static_asserts for what can be checked at compile time, plus runtime asserts for cross-zone access, foreground/background mixups, etc. And future "sufficiently smart static analysis" that complains if you access anything else.
But it all feels very complicated, especially when considering barriers that impose their own rules.
Maybe we could start with a comment that describes what the present rules are.