This is impossible on Windows, AFAIK. There are special flags to the
syscall that opens a file or directory that can bypass any denied
rights to enter a directory or open a file. (These flags allegedly
exist so that system backup and restore programs could DTRT without
running as a privileged user.)
Are you saying that anybody can read any file (or dir) simply by using
those extra flags when they open those files and dirs? So there's no
possible privacy between users on the same machine? If so, we may just
stop to worry about server-ensure-safe-dir under w32 since there's
simply no way for it to be safe (short of encrypting it, which implies
a fairly different UI).