This is no longer true as of RM Release 1.1.0. See the model here - you will see EHR.folders as well as EHR.directory.
Explanation/visualisation here.
Well this is potentially true of any attempt to do access control based on content. A fairly common view these days is that viable access control (as opposed to idealistic but probably impossible) is primarily by the record owner (patient) having a way to classify/mark their data as ‘sensitive’, ‘non-sensitive’, and maybe more such classifications. ‘Sensitive’ would require presence of patient to give consent. Emergency situations have a way of over-riding all access control.
We can certainly discuss this, although it was always assumed that that was the purpose of EVENT_CONTEXT.other_context. But if we think we can standardise visit info, more attributes could be added to EVENT_CONTEXT.