we would like to have a very simple setup:
- a group of staff users that have access to all the contacts in civicrm
- all the other users (lets call them volunteers) that would have access to all contact except a group of sensitive contacts
yes, you can remove the rights to view&edit contacts for volunteers and setup the group of contacts that volunteers will be able to access - sort of everybody except sensitive contacts (lets call them unrestricted contacts). but volunteers does not have access to all the predefined groups, smart groups, etc. - the only one that he see is unrestricted contacts. when he is adding the contact and do not assign it to unrestricted contacts the contact that he added disappear from his view. also volunteer is not able to assign a new contact to any other group than unrestricted contacts. also this does not protect other modules information for the restricted contacts like activities, events, etc.
so ACL does not work in a way that restrictions cut through all the existing features, groups, lists, modules in CiviCRM (what i would expect).
also i would prefer to have opposite situation. i would prefer define a restricted group of contacts and not define unrestricted group. it makes more sense to review who is restricted also usually this group is smaller.
also i find unnecessarily redundant the fact that you have to define the group in drupal, than define the same group in civicrm, than assign this group to role and than finally define ACL.
plus the idea of mixing the administration group (like users that can login and are considered as staff) and content related groups (like contacts that we send a bulletin) is not very good, handy, elegant, and some time not very diplomatic. not speaking about the fact that staff member can add or remove the user to/from ACL group. which i find a bit not secure.