Trying to understand the inheritance structure of Membership 3.x ACLs

After working with this plugin on a couple of different sites, I have some questions.

Let's say I have several pages and a bunch of posts I want to protect - but not all of them. It would be unbelievably inefficient to have to go through and manually protect or unprotect a post for all member groups every time content is published. My workaround is to create a category called "Members Only" that I can protect by default.

I'm a bit surprised you haven't done membership level options as a custom taxonomy. That would allow this structure to be applied at the time of creation without muddying up the default categories (I did notice you can't protect a tag, only a category, which is also weird and inefficient)

So here's the question:

Is the plugin permissive or restrictive by default?

In other words, if I restrict a post to "gold members" only (for example) but a silver "trial member" gets access to a handful of gold posts as part of the 14 day test package (clearly we aren't talking about dripped content in this case) - does allowing access to all posts also tagged as silver override the members only content restriction? Or does the fact the higher member level "restrict access"setting override the trial member permissions?

It is about 90% possible I'm not understanding the best way to create a limited access content profile for trial members.

The trick here is that I don't want to restrict all posts, or even all posts in a category. In the case of benchbusters.com, in fact, I would put a video blog after the "more" seperators and selectively allow the occasional post-more to be world-viewable as a teaser. Silver level members might gain access to 20% of the posts vs 5%.

Again, I realize dripped content is the answer here but the client isn't ready to make the jump to a monthly payment model vs an lifetime sub model just yet.

Solving a security issue like this really requires knowing if you follow the Linux or Windows ACL model. I'm sure I could figure this out by trial & error but that's a lot of leg-work to do for a question I could just as easily ask the developers.