Application-access-rights exceptions in D+ currently either block or allow an explicity specified
parameter or group of objects, which IMHO isn’t exactly fine-grained.
I think the option for setting Read/Write/Modify flags are much more feasible as
opposed to completely blocking or allowing specific app resources under said app’s
D+ exceptions.
One could arguably toy around with Microsoft’s builtin azman, azroles, and file permissions to
achieve this goal, but meh.