There has been a lot of discussion on this aspect in both the developer and user forums. Even though the portlet content can be controlled from within the Portlet (by checking for the appropriate roles), it would be nice to control the content from a layer above like PSML (or the RdbmsPolicy). That gives the programmer the flexibility to modify the permissions per portlet, and hence the content without any code change.
Since the feature has already been implemented, but just disabled (refer David's and Randy's comments in the forums), I hope its not too much of work to provide this feature. Sincerely appreciate your effort folks!