Securing Salt file_roots

My only real problem with Salt vs Puppet is its security model for files stored in the manifest. Puppet's fileserver supports per-node export configuration, allowing for node-private file distribution. Salt, on the other hand, exposes all files to all nodes at all times.

How Puppet does it

# fileserver.conf
[mount_point]
path /path/to/files
allow *.example.com
deny *.wireless.example.com

[private]
path /data/private/%h
allow *

How salt could do it

# file_roots.sls
file_roots:
  base:
    - /srv/salt
    - /srv/salt-example.com:
      - allow: *.example.com
      - deny: *.wireless.example.com
    - 
  dev:
    - /srv/salt/dev/services
    - /srv/salt/dev/states
  prod:
    - /srv/salt/prod/services
    - /srv/salt/prod/states

Proposal

file_roots:
  base:
    - /srv/salt
  *.example.com:
    - /srv/salt-example.com