At the moment permission sets work cumulatively and are inclusive, meaning that a permission set grants access, rather than limit it.

This means that if you want to restrict a user's access, a new custom permission set needs to be created.

Often this is done by copying a default permission set and then remove permissions, or set security filters.

This means that every update, when new objects are added, the custom permission set need to be updated manually which is often a trial and error activity.

It would be great, if it is possible to create a permission set that rather than include permissions, excludes permissions, for example by adding "type" flag on the header or line which says "grants" or "revokes" to make sure that a user cannot see specific objects.

This would only work in tandem with a hierarchy structure of permissions sets where on the header level you can set a value (e.g. 10,20,30 as often done with priority fields).

This way you can use the default permission set which is updated by Microsoft when updates are rolled out and grant this a lower priority, then assign a user a custom permission set with a higher priority that excludes specific objects.