e.g. permission can_only_read = reader - writer

This is not currently supported by EACL because it would require multiple permission checks: who can MINUS who can't, which would require strong caching mechanisms that I don't currently want to implement, because EACL is fast enough for its use-case.

You can do this in caller code by having can_read & can_write permissions and querying (and (can? subject :can_read resource) (not (can? subject :can_write resource)). This is what the caching mechanism would have to run, but caching will require cleanup and lots of work.