In the file /modules/addons/addondomain/ACLMenus.php you can define exactly which ACL setting affect which menus or requests.
An example use case:
You are using a third party DNS management module which does not depend on the "DNS Management" setting from the whmcs admin domain page. But you do not want to show this option at free domains because clients should use the webspace for setting DNS records.
Lets see the current restriction array:
In our example, your third party DNS management module is named "bestdnsmanagement", so we expend the array like here:
At the array Menu write the menu name. Fragment is optional and defines the HTML fragment (#tabBestdnsmanagement) which will be unaccessable for direct access.
Some users with advanced IT knowledge may try to bypass the ACL filter with spoofed or manipulated requests, this is why the filtering works on 3 levels.
More comments about this function can be found inside of the file.