Scenario:
In the folder 'CAR' I am having two sub folders 'CAR1' and 'CAR2' . I am having 2 user 'A' and 'B" of group 'Dealer' .Here the folder CAR1 belongs to 'A' and 'CAR2' belongs to 'B'. When I assign 'view' permission to the folder 'CAR' it is inherited to the sub folders.
The sharing tab has its own set of permissions. Customize your workflow so that the sharing tab is only available to the site administrator. This way your users can not access the sharing form.
You can use different states (Shared: Group A, Shared: Group B, Shared: All) for each folder so you can control which group will have access to each one. Workflows allow you to change the role of the group in a particular state.
Then it only means that the permission granted came from its parent container. You need to customize the permission applied to your object such that if you block permission inheritance, the custom permissions set in your object is the one that is followed.
The way Plone checks security is it reads the users permission applied on the object or context first but it does not stop there if inherit is allowed. With acquisition, it will also consult the permissions applied on its container tree until the site root. Inheritance is partly the reason why site administrators can access everything by default.
From the code I have seen in your posts, you use the Plone API so it may be a feature or a bug that the removal of the permission is also applied to its container tree.
Before assigning the roles via program, I have assigned it manually via the sharing tab and workflow.
When I used disable_roles_acqusition() in the program. I just unchecked the "Inherit permissions from parent" checkbox. but the roles aquired previously were present.
I removed roles in all the pages manually and ran the python script again