Consider a new permission with the semantics "being able to read only granted cells", perhaps called READ_VISIBLE.
Maybe consider a symmetric new permission for writes.
Just to clarify, we can claim the current code provides this semantic. With the default cell ACL evaluation strategy, in the absence of a CF or CF:qual grant - let's call this "CF level grant" - then the user will not be authorized to do anything unless the cell has an ACL that grants appropriate permissions. (Note that with cell-first both a cell ACL must exist and authorize and CF level permissions must also authorize.) Or, with the cell-first ACL evaluation strategy, then regardless of CF level grant the cell must have a permission authorizing the action. The parent talks about having an option for an alternative to this behavior. Let's call that READ_INVISIBLE. Perhaps that is a poor name. Anyway, what would this look like? This, if granted at the CF or table level, would allow the user to see any cell without an ACL? That is equivalent to granting READ permission at the CF or table level today. Or maybe the distinction is pushed down such that it makes a behavioral change with respect to the cell-first ACL strategy, in which case it could be cells without any ACLs should grant by default instead of deny.
The lack of default READ perm should prevent users from launching scanners.
We don't have this yet.