WSC fantastic questions and honestly I did not expect somebody asking this type of question so soon. That is why I did not rush to enhance documentation with more details.
So, you are on the right path with finding the right solution and it is almost correct. First and foremost, you've misused the
menu- prefix. This pseudo prefix is used to tell AAM something like "Hey, restrict access to this menu item and any sub-item that it has". So prefixing and sub-items with
menu- is redundant.
The main issue with restricting access to all menus and allowing only some sub-menus is with the way WordPress core renders the main backend menu. My personal opinion (without any intention to offend anybody) is that WordPress core has extremely poor implementation when it comes to managing this crucial part of the backend area. Internally, WP core has two separate globally defined containers
$submenu links to one of the elements in the
Note! Under container, I mean PHP array that is defined in the global PHP scope.
Now, when you use the wildcard with BackendMenu resource, AAM honors that and basically clears the
$menu container, so any allowed sub-items in
$submenu container have no parents and that is why WordPress core simply does not render anything.
That is why you need to explicitly allow the top menu item, by using
menu- prefix and again restrict access to each submenu item that you do not want to give access to.
Here is the policy that does the magic: