I understand the current security levels may once have reflected some technical details e.g. the permissions that might be assigned in a particular file system. However, this could be enhanced by a new security level ("Forbidden", "Excluded", "Restrict" or whatever makes sense) that is applied by exception.

A simple example:

Folder "News" has All Company as viewers.

Group "Contractors" are invited as "Restrict" access.

Whenever any user seeks access e.g. viewing the contents of the folder that contains folder "News", they will of course inherit the permissions from the parent, but before being allowed to see "News" Box first checks if the current user has the "Restrict" permission, if so "News" is excluded from the folder listing, if not then the normal permission behaviour applies.

This check would also need to be done for linking using shared links or object id, since if my intent is to "Restrict" a user's access that should always be checked and always enforced.