“Stop sharing this folder” is not the same as “Never share this folder”
A security vulnerability report arrive that went roughly like this:
- Create two users on the system, call them A and B.
- Sign on as A.
- Create a folder, let’s call it X.
- In Explorer, right-click the folder X, and select “Give access to”, “Specific people”, and grant access to B.
- Now right-click the folder X again, and select “Give access to”, “Remove access”, “Stop sharing” to remove access and stop sharing.
- Go up a level and right-click on X’s parent folder, and select “Give access to”, “Specific people”, and grant access to B.
- Sign on as B.
- Observe that B has access to folder X even though access was removed in step 5.
While it’s true that access was removed in step 5, it’s also the case that access was re-granted in step 6.
The finder argued that B should not have access to folder X because B was restricted from having access to the folder by step 5.
Removing access is not the same as “block future access”. Removing access means “Hey, like, if there was anybody that was given access, remove that access entry.” This means that they can’t access this folder directly. However, it doesn’t prevent them from accessing the folder by other means, such as by coming through the parent folder, or (even more simply) by you adding access later.
If you want to deny access to the folder, you can go to Advanced security and add them to the Deny list for the folder.¹
Mind you, even that is not an absolute “block future access”: You could always come back later and remove them from the Deny list.
¹ When you share the parent folder, you are reminded that the subfolder has conflicting security and asks if you want to replace the current security settings on the subfolder with the settings of the parent, or whether you want to keep the separate settings for the subfolder.