I liked the simplicity and robustness of Ken's answer: use unix groups.

> We would like to create accounts for restricted users

To be sure we understand the requirements, what precisely do you mean by
"restricted users"?  Do you *only* mean the following?

> These users would have access to the filesystem
> as appropriate, but would not be allowed to run the applications living
> under /opt and /usr/local.

If you only mean the above, then in the context of "primarily for data
sharing purposes", what precisely do you mean by "access to the filesystem as
appropriate"?

Regards,
Dan W.