the ACls set directly on the user node are not added to the permission lists on login at the moment, which means they are never used during runtime. It can be easily tested by removing acl_roles children from any user ... after doing so user can still login without any problems even tho in theory (s)he has no longer rights to even read his/her own node data.
Another case that exposes this issue in fix for MAGNOLIA-574 - when user edit dialog is enabled directly without user having rights to access their node via role or group rights the given user will not be able to edit his/her preferences even tho they have such preferences assigned directly to their account.