Most apps I've worked with don't use filesystem ACLs for user-facing security.

Suppose you are building a document management system. You might store each document as a file on a filesystem–but you probably won't store "who can access what document" as filesystem ACLs. You'll probably just have a filesystem ACL giving the application access to all the documents, and then enforce user-level access in the application code, with the user-level permissions stored in the application's database.

Human-managed permissions turn into a mess no matter what you do. But enforcing them at the application level, you can make the implementation actually understand some of the business rules which drive them. In a B2B setting, you might have a business rule that for each customer account there is a list of authorised employees allowed to work on that account, plus some workflow process to get approval to permanently or temporarily add an employee to that list. A lot less mess if you build a database and UI around that business rule, than if you just try to store that directly in filesystem ACLs.

A document management system can even export the documents as a network filesystem (WebDav, CIFS/SMB, NFS, etc) – but it doesn't have to properly implement filesystem ACLs in doing so, if users want to manage permissions you force them to use the Web UI instead.

Same here! Although i believe that's a shame we have to pile layers of "security" (or holes) on top of one another. I long for better tooling for FS ACLs and journaling!