I have a requirement where I need to restrict the export data functionality for some users. What I have done is, created a new role NoExport, disabled the default security rule, added a stream level security rule with condition user role != NoExport. It is workign fine. But the problem with this approach is that I need to create one security rule per stream.
And there is one more issue. If 1 user has access to 2 streams and he needs to have export data privilege in one stream and no privilege in another, this approach won't work.