I like Data policies in CDS environments but they miss something: If a user has been excluded from reading an Entity, that user should not be able to access Entity in the portal at all. Now a user can see entity's Fields, Field Groups, Keys, and Relationships. I do not think these should be accessible. The whole entity should be hidden from that user if that user has no access to it.
Thanks Yahya for the feedback. At the moment we are intentionally showing all entities available within the enviornment to avoid customizers from creating duplicate sets of data within the same environment. The idea being if they can see the entity exists, there is a higher chance they will user that entity and gain access, rather than creating duplicate sets of data within the same environment.
If you would like complete seperatation between the customizers, the best approach at this point is to create a seperate environment and control access at that level.
I am delicining these feature for the moment, but please continue to provide feedback if this is blocking a specific scenario for you.