In this use case, a deeply nested file system sub-tree was created as world-readable, followed by a subsequent requirement to block access for a specific user to all files in that sub-tree.
This use case can be addressed by setting an ACL on the root of the sub-tree with a named user entry that strips all access from the user.
For this file system structure:
dir1 `-- dir2 `-- dir3 |-- file1 |-- file2 `-- file3
Setting the following ACL on "dir2" blocks access for Bruce to "dir3," "file1," "file2," and "file3":
user:bruce:---
More specifically, the removal of execute permissions on "dir2" means that Bruce cannot access "dir2", and therefore cannot see any of its children. This also means that access is blocked automatically for any newly-added files under "dir2". If a "file4" is created under "dir3", Bruce will not be able to access it.