We found a terrible limitation of Vault regarding Folder security. If you define a folder security to deny access to a group of user, this groups can even found files in this folder because the file lifecycle give this right.
This limitation has no sense. If the folder deny access to a group of users, all files in this folder must be denied too.
Actually, the only workaround I found is to create a specific lifecycle for files in this folder but this became very complicated.
How Vault must works: ACL on a files must be a combination of all ACL show example in attach.