IssueTracker

This will create a public issue which anybody can view and comment on.

Please provide as much information as possible. At least, this should include a description of your issue and steps to reproduce the problem. If possible please provide a summary of what steps or workarounds you have already tried, and any docs or articles you found (un)helpful.

Problem you have encountered:
VPC SC does not restrict adding a Project Owner.

What you expected to happen:
VPC SC restricts adding a Project Owner.

public documentation [1] explains "A user cannot be granted the owner role using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and must explicitly accept the invitation.".
[1] https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy
---
・A user cannot be granted the owner role using setIamPolicy(). The user must be granted the owner role using the Cloud Platform Console and must explicitly accept the invitation.
・You can only grant ownership of a project to a member by using the GCP Console. Inviting a member will deliver an invitation email that they must accept. An invitation email is not generated if you are granting a role other than owner, or if both the member you are inviting and the project are part of your organization.
---

So users are unable to grant ownership of a project using SetIamPolicy, which is the only method currently supported by VPC SC [2].

[2] https://cloud.google.com/vpc-service-controls/docs/supported-products#table_crm
---
Resource Manager
Status：Beta.
This product integration is ready for broader testing and use, but is not fully supported for production environments.
Service name：cloudresourcemanager.googleapis.com BETA
---

Steps to reproduce:
1. Configure VPC SC to restrict Resource Manager API and test project.
2. In test project, add a Owner role to a user in a project.

Other information (workarounds you have tried, documentation consulted, etc):
n/a