Security is very difficult to get right. The more flexible you try to make it the more complex it becomes and the the chances for mis-configuration increase and this can reduce security. Keeping it as simple as possible is a feature that improves security.
In mojoPortal we support view/edit permissions at the page level and the content instance level. If a specific custom feature needs more granular permissions, they can define those in their features and use our AllowedRolesSetting control as I wrote about on this thread.
It only shows hidden users for the admin when he searches for the user not by browsing the alpha links.