We do it this way. All default users we want to have are inside XWikiAllGroup with allowed view (and edit) everywhere.
But we have a MinimalReadGroup with only this views allowed (including their children):
- Anwendungen.Wiki.Admin.Articles with Script (custom articles for include macro etc.)
- Anwendungen.Wiki.Admin.Macros, Plugins, Scripts (custom macros, a11y scripts etc.)
- Anwendungen.Wiki (all custom wiki manuals)
- FlamingoThemes (our skin default)
- FlamingoThemes.Custom (our custom style for this skin)
- IconThemes (we used some icons in manuals)
- Main (our start page should be visible to all)
- Menu (topmenu including links to manuals/help)
- Panels (navigation panel on the left)
- PanelsCode (code for mentioned panel)
- Sandbox (because it’s linked in the topmenu too)
- Tour (interactive tours)
- TourCode (code for this tours)
- XWiki (many macros and much more for a functional wiki)
So users we only want to show specific spaces become member of MinimalReadGroup and get their space allowed to view.