Minor Description
stillalex, looking at the implementation of AccessControlManagerImpl.getEffectivePolicies(String) I noticed that the implementation only walks up the hierarchy collection the access control lists but does not evaluated whether the individual entries actually take effect on the tree defined by the 'absPath' param. While this is always true for entries without restrictions, it doesn't necessarily apply for entries that hold restrictions.
The easiest way to fix this was probably to call the variant of createACL that takes a Predicate and use that one to read and evaluate the restriction pattern present with each entry tree.
Since the AccessControlManager.getEffectivePolicies is defined to be best-effort, I don't consider this a serious flaw. But for the sake of improved accuracy it might still be worth addressing. wdyt?