As rights management is handled at object level whatever the limitation type, the subtree limitation does not seem to be strictly and properly handled when an object holds multiple nodes. Restricted nodes may then be accessible to users that don't match the subtree policy prerequisite.

Considering two subtrees (one private and one public), as soon as the user will be allowed in one of those subtrees he will be able to access all object's nodes (uri access and fetch node).
As I would expect that nodes holded in restricted subtrees should not be accessible to the user that does not own a policy for the subtree, playing with subtree limitation and nodes is then very confusing and non consistent.

Steps to reproduce

• Create a public folder (ie 'Public')
• Create a restricted folder (ie 'Secure')
• Create a new content object whose node will be placed in public folder, and add an object location in secure folder
• Now add a subtree limitation to anonymous user on the public folder. The expected is that no content from secure folder will be accessible to anonymous anymore.
• Check the secured content by directly accessing the content uri from your browser (ie http://mydomain.com/Secure/Restricted ). You will be able to access and display the node, it is granted although the subtree was not given to anonymous allowed policies.
  You can also try to add a fetch('content','node',...) in your templates, the secured node will be given as a result, whatever is the subtree policy status, as soon as a node was somewhere accessible.