Deny by default?

A customer asked for a specific sharing configuration. I’d like to use groupfolders for keeping the directory structure, but they have a very detailed access permission to set. Basically I’d have to deny all folders unless specifically allowed.

As of today I need to allow groupfolder access to all uses in a group, then for each subfolder deny access for every user which doesn’t have to enter it.

So it’s substantially a deny by default rule, which is not possible right now. I was wondering if this could be done differently, or would be worth reporting as an enhancement to the devs.

I know in this situation the easiest way would be to share the single folders to users, but then I’d lose the folder hierarchy.