In my testing, preventing the cohort:view capability for the teacher (or manager) role does nothing when those roles are assigned at the course level. If the system and/or category cohorts are visible, both roles can see them in the Enroll user screen no matter what permission the cohort:view capability has. The only way to prevent the cohorts from being used for manual enrollment in this scenario is to hide them. But this means that managers, along with teachers, won't be able to use them for manual enrollment. This is what I mean when I say that cohort:view appears to have no effect (at least at the course level).
The cohort:view capability does appear to come into play to some extent when then manager role is assigned at the category level. If cohort:view is set to ALLOW, and all system and category cohorts are HIDDEN, then a manager assigned at the category level CAN see and use category cohorts for manual enrollment (but not system cohorts). If cohort:view is prevented (and all cohorts remain hidden), then managers cannot see/user the category cohorts.
In my situation, I can make this work. Since I don't want managers or teachers assigned at the course level to be able to use cohorts for manual enrollment, I will just need to hide all system and category cohorts. We have a special role called Category Manager that is only assigned at the category level. By hiding all the cohorts, the Category Managers will be able to use them for manual enrollment (by keeping cohort:view set to ALLOW). I will also need to instruct Category Managers to hide all cohorts they create manually if they don't want their teachers to use these cohorts for manual enrollment. Beginning in August, we will begin generating cohorts from external sourses. We will make sure these are all hidden.
I still would argue that the current behavior of cohort:view is, at best, ambiguous, confusing, and poorly documented. It doesn't do what you think it should. Naming it "site-wide cohort" is also confusing since this term doesn't really appear anywhere (is "system cohort" the proper term?). And the documentation is problematic, too. I hope how this capability works will be reviewed in the future.
Thanks for all the responses. This really helped confirm what I was seeing. -- Brian