Right now, getAllowedUsers and getDeniedUsers with same parameters can return the same users. Is it the ProfileAssignmentStorage which is responsible to not have this kind of inconsistence, or is is later when using those methods that we do (allowed - denied) to talk about allowed ?