UA Policy is a key aspect of First-Party Sets that should define what constitutes an acceptable set.

One key principle that has been proposed in the privacy models of various browsers is the notion of being owned and operated by the same organization.

• Note: This has been challenged in Arbitrary/opaque nature of "organizations" as the arbiter of first-party sets #14, Expand Set Eligibility Beyond a Single Organization #17, and Enforcement of organizational structure within FPS #18. It has been suggested that the same organization requirement be dropped in favor of a UX signal indicating affiliation to the user.

What are other key elements that are desirable to capture in the UA Policy?

What properties of user understanding (as enshrined in the page URL) can the policy cover?