if i enable project network isolation when creating the cluster, can i then edit which projects can access which other projects after the fact or is it a solid wall?

While this is sheer guesswork, I'd assume that this would be using Kubernetes network policies, which function as an allow all if there are 0 and as a block all traffic between namespaces that aren't in a policy if there are >0. From what I recall, from Rancher 2.6 onward they aimed for everything in the GUI to be a match to general Kubernetes functionality, so that's where I'd guess that project network isolation would be setting network policies and only adding namespace-to-namespace communication for namespaces within the same Rancher project (and Rancher projects are pure metadata from Kubernetes stance and not Kubernetes objects). If that assumption is correct, there'd be no reason you couldn't have network policies to allow communication between namespaces in multiple projects on the Kubernetes side. On the Rancher side it might not let you do it with projects so you might have to just do network policies between namespaces, but poking around in the UI should show you options there. Once again, that's sheer guesswork.