A user is able to perform an ls (list) command on a z/OS UNIX directory even though an ACF2 FSACCESS (FSA) resource rule is in place to PREVENT access to the underlying zFS file system.

z/OS UNIX System Services
CA ACF2 for z/OS
zFS File Systems

FSACCESS (FSA) rules provide a high-level SAF check at the file system container level (the zFS itself). This check is typically performed during the mounting of the file system or when a user first accesses a file system they haven't used before.

Logonids with the AUDIT or SECURITY(unSCOPEd) the FSACCESS resource validation is not made.
The ACEEAUDT bit (which determines whether or not users go through the FSACCESS check) gets turned on for users with AUDIT as well as for unscoped SECURITY users.