Cant Restrict a user when using a 24/7 display? (kiosk type display)

Im hoping someone has a answer or way to address this:

Like many users i have a grafana server for internal users only (no public internet access), we have the beautiful grafana dashboards displaying on various monitors 24/7 (via kiosk mode on extra PCs, rasPI’s ect).

The most reliable way to do this, is to have anonymous access ENABLED (so that the kiosk mode clients only need a URL , and not need a person to manually type in a login/pass every X hours/days on said kiosk displays. (this all works great btw).

We have a need to give one grafana account (“steve”) Viewer-level access to a only a few dashboards in a grafana folder. However i see NO reasonable way to do this- other than creating a new/separate organization, and the export / import the JSON for the shared dashboards over to that new Org. (and create this new user steve , in that new org).

Please correct me if im wrong, but there is no way to do this in my Main Org, as the only way to block user Steve from seeing the other Main Org dashboards/folder is to remove the viewer ROLE’s permission from the folders. (and if i do this, our 24/7 anonymous auth displays would stop working bc they would no longer have permission) , right?

(ie if i have this right, i would need one of two features , that do not exist, to make this work, either:
1- ability to create a new, 4th “Role” , ie named “limited-Viewer” (and remove its access to all but “Steve’s” folder
2- Ability to explicitly set a DENY permission on a folder, for a specific user. (which would be the ideal feature).

Is that correct? or does anyone know of a way i can block a user in a Organization from even seeing all the dashboards?