diff --git a/src/applications/differential/conduit/ConduitAPI_differential_createcomment_Method.php b/src/applications/differential/conduit/ConduitAPI_differential_createcomment_Method.php
index 58d2b43056..3f6c67a01a 100644
--- a/src/applications/differential/conduit/ConduitAPI_differential_createcomment_Method.php
+++ b/src/applications/differential/conduit/ConduitAPI_differential_createcomment_Method.php
@@ -31,8 +31,10 @@ final class ConduitAPI_differential_createcomment_Method
   }
 
   protected function execute(ConduitAPIRequest $request) {
-    $revision = id(new DifferentialRevision())->load(
-      $request->getValue('revision_id'));
+    $revision = id(new DifferentialRevisionQuery())
+      ->setViewer($request->getUser())
+      ->withIDs(array($request->getValue('revision_id')))
+      ->executeOne();
     if (!$revision) {
       throw new ConduitException('ERR_BAD_REVISION');
     }
diff --git a/src/applications/differential/conduit/ConduitAPI_differential_creatediff_Method.php b/src/applications/differential/conduit/ConduitAPI_differential_creatediff_Method.php
index a62cca98e2..d2f4b9a499 100644
--- a/src/applications/differential/conduit/ConduitAPI_differential_creatediff_Method.php
+++ b/src/applications/differential/conduit/ConduitAPI_differential_creatediff_Method.php
@@ -59,7 +59,10 @@ final class ConduitAPI_differential_creatediff_Method extends ConduitAPIMethod {
 
     $parent_id = $request->getValue('parentRevisionID');
     if ($parent_id) {
-      $parent_rev = id(new DifferentialRevision())->load($parent_id);
+      $parent_rev = id(new DifferentialRevisionQuery())
+        ->setViewer($request->getUser())
+        ->withIDs(array($parent_id))
+        ->executeOne();
       if ($parent_rev) {
         if ($parent_rev->getStatus() !=
             ArcanistDifferentialRevisionStatus::CLOSED) {
diff --git a/src/applications/differential/conduit/ConduitAPI_differential_createinline_Method.php b/src/applications/differential/conduit/ConduitAPI_differential_createinline_Method.php
index b2359a82cc..bd1bf83a66 100644
--- a/src/applications/differential/conduit/ConduitAPI_differential_createinline_Method.php
+++ b/src/applications/differential/conduit/ConduitAPI_differential_createinline_Method.php
@@ -43,7 +43,10 @@ final class ConduitAPI_differential_createinline_Method
     if ($rid) {
       // Given both a revision and a diff, check that they match.
       // Given only a revision, find the active diff.
-      $revision = id(new DifferentialRevision())->load($rid);
+      $revision = id(new DifferentialRevisionQuery())
+        ->setViewer($request->getUser())
+        ->withIDs(array($rid))
+        ->executeOne();
       if (!$revision) {
         throw new ConduitException('ERR-BAD-REVISION');
       }
diff --git a/src/applications/differential/controller/DifferentialCommentSaveController.php b/src/applications/differential/controller/DifferentialCommentSaveController.php
index d79b0dcb7b..6e888947a9 100644
--- a/src/applications/differential/controller/DifferentialCommentSaveController.php
+++ b/src/applications/differential/controller/DifferentialCommentSaveController.php
@@ -8,8 +8,13 @@ final class DifferentialCommentSaveController extends DifferentialController {
       return new Aphront400Response();
     }
 
+    $viewer = $request->getUser();
+
     $revision_id = $request->getInt('revision_id');
-    $revision = id(new DifferentialRevision())->load($revision_id);
+    $revision = id(new DifferentialRevisionQuery())
+      ->setViewer($viewer)
+      ->withIDs(array($revision_id))
+      ->executeOne();
     if (!$revision) {
       return new Aphront400Response();
     }
diff --git a/src/applications/differential/controller/DifferentialInlineCommentEditController.php b/src/applications/differential/controller/DifferentialInlineCommentEditController.php
index 83756fa88d..62c5d6c781 100644
--- a/src/applications/differential/controller/DifferentialInlineCommentEditController.php
+++ b/src/applications/differential/controller/DifferentialInlineCommentEditController.php
@@ -15,7 +15,13 @@ final class DifferentialInlineCommentEditController
     $revision_id = $this->revisionID;
     $changeset_id = $this->getChangesetID();
 
-    if (!id(new DifferentialRevision())->load($revision_id)) {
+    $viewer = $this->getRequest()->getUser();
+    $revision = id(new DifferentialRevisionQuery())
+      ->setViewer($viewer)
+      ->withIDs(array($revision_id))
+      ->executeOne();
+
+    if (!$revision) {
       throw new Exception("Invalid revision ID!");
     }
 
diff --git a/src/applications/differential/controller/DifferentialRevisionEditController.php b/src/applications/differential/controller/DifferentialRevisionEditController.php
index 0bdc2b6ec0..ed4886643c 100644
--- a/src/applications/differential/controller/DifferentialRevisionEditController.php
+++ b/src/applications/differential/controller/DifferentialRevisionEditController.php
@@ -22,6 +22,11 @@ final class DifferentialRevisionEditController extends DifferentialController {
         ->withIDs(array($this->id))
         ->needRelationships(true)
         ->needReviewerStatus(true)
+        ->requireCapabilities(
+          array(
+            PhabricatorPolicyCapability::CAN_VIEW,
+            PhabricatorPolicyCapability::CAN_EDIT,
+          ))
         ->executeOne();
       if (!$revision) {
         return new Aphront404Response();
diff --git a/src/applications/differential/field/specification/DifferentialFreeformFieldSpecification.php b/src/applications/differential/field/specification/DifferentialFreeformFieldSpecification.php
index db29521739..ff5f8f73bc 100644
--- a/src/applications/differential/field/specification/DifferentialFreeformFieldSpecification.php
+++ b/src/applications/differential/field/specification/DifferentialFreeformFieldSpecification.php
@@ -162,8 +162,10 @@ abstract class DifferentialFreeformFieldSpecification
 
     $dependents = $this->findDependentRevisions($message);
     if ($dependents) {
-      $dependents = id(new DifferentialRevision())
-        ->loadAllWhere('id IN (%Ld)', $dependents);
+      $dependents = id(new DifferentialRevisionQuery())
+        ->setViewer($editor->getActor())
+        ->withIDs($dependents)
+        ->execute();
       $this->saveFieldEdges(
         $editor->getRevision(),
         PhabricatorEdgeConfig::TYPE_DREV_DEPENDS_ON_DREV,
diff --git a/src/applications/diffusion/conduit/ConduitAPI_diffusion_getcommits_Method.php b/src/applications/diffusion/conduit/ConduitAPI_diffusion_getcommits_Method.php
index ac5e5d31c8..173699fa80 100644
--- a/src/applications/diffusion/conduit/ConduitAPI_diffusion_getcommits_Method.php
+++ b/src/applications/diffusion/conduit/ConduitAPI_diffusion_getcommits_Method.php
@@ -233,6 +233,10 @@ final class ConduitAPI_diffusion_getcommits_Method
   private function addDifferentialInformation(array $commits) {
     $commit_phids = ipull($commits, 'commitPHID');
 
+    // TODO: (T603) This should be policy checked, either by moving to
+    // DifferentialRevisionQuery or by doing a followup query to make sure
+    // the matched objects are visible.
+
     $rev_conn_r = id(new DifferentialRevision())->establishConnection('r');
     $revs = queryfx_all(
       $rev_conn_r,
diff --git a/src/applications/diffusion/controller/DiffusionBrowseFileController.php b/src/applications/diffusion/controller/DiffusionBrowseFileController.php
index 3e6887daf9..279b107889 100644
--- a/src/applications/diffusion/controller/DiffusionBrowseFileController.php
+++ b/src/applications/diffusion/controller/DiffusionBrowseFileController.php
@@ -550,18 +550,19 @@ final class DiffusionBrowseFileController extends DiffusionBrowseController {
       $commits = mpull($commits, null, 'getCommitIdentifier');
     }
 
+    $request = $this->getRequest();
+    $user = $request->getUser();
+
     $revision_ids = id(new DifferentialRevision())
       ->loadIDsByCommitPHIDs(mpull($commits, 'getPHID'));
     $revisions = array();
     if ($revision_ids) {
-      $revisions = id(new DifferentialRevision())->loadAllWhere(
-        'id IN (%Ld)',
-        $revision_ids);
+      $revisions = id(new DifferentialRevisionQuery())
+        ->setViewer($user)
+        ->withIDs($revision_ids)
+        ->execute();
     }
 
-    $request = $this->getRequest();
-    $user = $request->getUser();
-
     Javelin::initBehavior('phabricator-oncopy', array());
 
     $engine = null;
diff --git a/src/applications/herald/adapter/HeraldCommitAdapter.php b/src/applications/herald/adapter/HeraldCommitAdapter.php
index 74cdf73a7e..8e07b0163c 100644
--- a/src/applications/herald/adapter/HeraldCommitAdapter.php
+++ b/src/applications/herald/adapter/HeraldCommitAdapter.php
@@ -211,6 +211,7 @@ final class HeraldCommitAdapter extends HeraldAdapter {
       $data = $this->commitData;
       $revision_id = $data->getCommitDetail('differential.revisionID');
       if ($revision_id) {
+        // TODO: (T603) Herald policy stuff.
         $revision = id(new DifferentialRevision())->load($revision_id);
         if ($revision) {
           $revision->loadRelationships();
diff --git a/src/applications/releeph/commitfinder/ReleephCommitFinder.php b/src/applications/releeph/commitfinder/ReleephCommitFinder.php
index 71e4b2c301..1c7bfce23a 100644
--- a/src/applications/releeph/commitfinder/ReleephCommitFinder.php
+++ b/src/applications/releeph/commitfinder/ReleephCommitFinder.php
@@ -23,6 +23,7 @@ final class ReleephCommitFinder {
     $matches = array();
     if (preg_match('/^D([1-9]\d*)$/', $partial_string, $matches)) {
       $diff_id = $matches[1];
+      // TOOD: (T603) This is all slated for annihilation.
       $diff_rev = id(new DifferentialRevision())->load($diff_id);
       if (!$diff_rev) {
         throw new ReleephCommitFinderException(
diff --git a/src/applications/releeph/controller/request/ReleephRequestDifferentialCreateController.php b/src/applications/releeph/controller/request/ReleephRequestDifferentialCreateController.php
index 283924599a..65f4e3dc8f 100644
--- a/src/applications/releeph/controller/request/ReleephRequestDifferentialCreateController.php
+++ b/src/applications/releeph/controller/request/ReleephRequestDifferentialCreateController.php
@@ -3,21 +3,26 @@
 final class ReleephRequestDifferentialCreateController
   extends ReleephProjectController {
 
+  private $revisionID;
   private $revision;
 
   public function willProcessRequest(array $data) {
-    $diff_rev_id = $data['diffRevID'];
-    $diff_rev = id(new DifferentialRevision())->load($diff_rev_id);
-    if (!$diff_rev) {
-      throw new Exception(sprintf('D%d not found!', $diff_rev_id));
-    }
-    $this->revision = $diff_rev;
+    $this->revisionID = $data['diffRevID'];
   }
 
   public function processRequest() {
     $request = $this->getRequest();
     $user = $request->getUser();
 
+    $diff_rev = id(new DifferentialRevisionQuery())
+      ->setViewer($user)
+      ->withIDs(array($this->revisionID))
+      ->executeOne();
+    if (!$diff_rev) {
+      return new Aphront404Response();
+    }
+    $this->revision = $diff_rev;
+
     $arc_project = id(new PhabricatorRepositoryArcanistProject())
       ->loadOneWhere('phid = %s', $this->revision->getArcanistProjectPHID());
 
diff --git a/src/applications/releeph/controller/request/ReleephRequestEditController.php b/src/applications/releeph/controller/request/ReleephRequestEditController.php
index 5d3871f92e..65532155b8 100644
--- a/src/applications/releeph/controller/request/ReleephRequestEditController.php
+++ b/src/applications/releeph/controller/request/ReleephRequestEditController.php
@@ -228,7 +228,10 @@ final class ReleephRequestEditController extends ReleephProjectController {
       $origin = null;
       $diff_rev_id = $request->getStr('D');
       if ($diff_rev_id) {
-        $diff_rev = id(new DifferentialRevision())->load($diff_rev_id);
+        $diff_rev = id(new DifferentialRevisionQuery())
+          ->setViewer($user)
+          ->withIDs(array($diff_rev_id))
+          ->executeOne();
         $origin = '/D'.$diff_rev->getID();
         $title = sprintf(
           'D%d: %s',
diff --git a/src/applications/releeph/storage/ReleephRequest.php b/src/applications/releeph/storage/ReleephRequest.php
index 00beab892c..f8c6de032e 100644
--- a/src/applications/releeph/storage/ReleephRequest.php
+++ b/src/applications/releeph/storage/ReleephRequest.php
@@ -248,6 +248,7 @@ final class ReleephRequest extends ReleephDAO
     }
   }
 
+  // TODO: (T603) Get rid of all this one-off ad-hoc loading.
   public function loadDifferentialRevision() {
     $diff_phid = $this->loadRequestCommitDiffPHID();
     if (!$diff_phid) {
diff --git a/src/applications/repository/worker/PhabricatorRepositoryCommitOwnersWorker.php b/src/applications/repository/worker/PhabricatorRepositoryCommitOwnersWorker.php
index 9c06305e75..78d062d223 100644
--- a/src/applications/repository/worker/PhabricatorRepositoryCommitOwnersWorker.php
+++ b/src/applications/repository/worker/PhabricatorRepositoryCommitOwnersWorker.php
@@ -92,6 +92,8 @@ final class PhabricatorRepositoryCommitOwnersWorker
     $commit_reviewedby_phid = null;
 
     if ($revision_id) {
+      // TODO: (T603) This is probably safe to use an omnipotent user on,
+      // but check things more closely.
       $revision = id(new DifferentialRevision())->load($revision_id);
       if ($revision) {
         $revision_author_phid = $revision->getAuthorPHID();
diff --git a/src/applications/search/controller/PhabricatorSearchSelectController.php b/src/applications/search/controller/PhabricatorSearchSelectController.php
index cab9a98675..cf0f4e1aa0 100644
--- a/src/applications/search/controller/PhabricatorSearchSelectController.php
+++ b/src/applications/search/controller/PhabricatorSearchSelectController.php
@@ -93,6 +93,7 @@ final class PhabricatorSearchSelectController
 
     switch ($this->type) {
       case DifferentialPHIDTypeRevision::TYPECONST:
+        // TODO: (T603) See below. This whole thing needs cleanup.
         $objects = id(new DifferentialRevision())->loadAllWhere(
           'id IN (%Ld)',
           $object_ids);