When assigning permissions to Managed Unit objects in ARS, the Inherited DENY permissions on the "parent" Managed Unit object object are overriding the ALLOW permissions on the explicit object, when deny permissions are applied to Managed Unit.
In Active Directory, if a deny permission is applied on an OU and a explicit allow is applied directly on the object. The explicit allow should override the deny.
This is by design.
Enforcing an Access Template to Managed Unit should be treated as the same as enforcing Access Template directly to object. Thus DENY and ALLOW permissions are enforced to the same level. In this situation a DENY permission will override an ALLOW.
By definition "Managed Units Collections of directory objects delegated to Trustees for administration" it is not considered a container.