linux user account isolation. remove /usr/bin permissions for specified user only

set default as no permissions for new files:
sudo setfacl -d -m u:untrusted:--- /usr/bin

remove all permissions from all files:
find /usr/bin/ -type f | while read f; do sudo setfacl -m u:untrusted:--- $f; done

whitelist what you need:
sudo setfacl -x u:untrusted /usr/bin/ls

whitelist multiple
a=( "ls" "env" "chmod" "nano" ); for x in ${a[@]}; do sudo setfacl -x u:untrusted /usr/bin/$x; done

blacklist single file
sudo setfacl -m u:untrusted:--- /usr/bin/flatpak