Right now, using 'adddeny' denies both writes and reads. Moreover, following it with 'addread' doesn't help at all. This makes it impossible to restrict the ebuild from overwriting sources while letting it read them.
the default behavior is already to allow reading but disallow writing. the only way you get write access to a path is to explicitly allow it via `addwrite`.
This would require PMS changes.