If a Collection/array of domain objects are presented to BasicAclEntryAfterInvocationCollectionFilteringProvider, the filtering will occur at the level of the presented Collection/array only.
We should consider adding a feature to BasicAclEntryAfterInvocationCollectionFilteringProvider that allows it to reflectively evaluate each property to locate internal Collections/arrays. These would then be processed at an ACL level. This would continue so any level of object nesting is processed. It would be necessary to avoid infinite loops, as one object may refer (by reference) to a parent object. The Acegi Security domain subproject contains some examples of this sort of detection behaviour in its validation package.
Such a new feature must be switchable, as the expense of reflectively evaluating every domain object in a Collection/array may be high.