I wonder if you can exclude groups of users by using access control lists, rather than just listing those you want to include?
Being able to define groups of resources via regular expressions is very useful. It allows one to create a root ldp:Container that gives rights to its children in one rule.
rww-play implements a acl:regex relation, which currently uses Java Regular expressions to specify a constraint on an agent class:
 acl:accessToClass [ acl:regex “https://joe.solid.example/.*” ]; acl:mode acl:Read; acl:agentClass foaf:Agent .
One could use POWDER, or invent some simpler notation.
Then from https://www.w3.org/TR/powder-dr/
Example 2-5: A POWDER Document Containing Disjoint Description Resources [XML]