It is possible to deny or grant access to Asset folders in the Preside admin for user groups. This works fine in the Asset Manager UI itself.
However if using assets anywhere else in the admin, those folder permissions seem to not be evaluated.
This means that even though a user group might not have access to a folder in the Asset Manager (in fact not even being able to see that folder), this folder still shows up when searching for assets / attachments in the rich editor as well as if using the asset picker form control anywhere. The user is able to pick and use any of the available assets/docs/images.
For example an easy workaround (aka hack) for a user that does not have access to documents in a folder would be to just create a simple page in the site tree, add a link in the rich editor to that document in there and then use that link to download it.
It would be highly appreciated if the permissions would be evaluated in all places in the backend where assets can be used.