This can potentially lead to negative value as well as recreating the entry after its deletion. I think it's better to be a noop if the counter is not found for the project. The increment method seems fine since it is invoked inside the applier thread.

AFAIU This test is testing only migration version updates, since all security migrations are skipped. This is because the .security index is always newly created without the need for migrations. But for my understanding: there are still changes needed to the concrete SecurityMigration implementations, right?

Unless I'm mistaken there are no supported migrations on multi project today.
The newest migration was for #115823 which was merged into 9.0.0 before Multi Project.
Which means if a cluster has multiple projects then it should also have a security index that can skip all migrations.

I can probably fake the data it in order to test it, but it won't be a real production scenario.

Agreed, no need to adjust or test existing migrations.

To clarify my original concern, there were few bits I was missing which prompted my question:
Missed the fact that the project ID is correctly set in the thread context when migration task is submitted (in sendProjectStartRequest) and it's carried over throughout the task's lifecycle, even though we fork and stash context in migration executor. All migrations are executed within the correct project context and there are no changes needed.