You can do anything you like in a plugin.
I would not recommend you managed access control lists in code. Sure you can change behaviour and the rules but access control should be as transparent and intuitive to the admin as possible, surely? Also there will be times when you need to make a change urgently. You don’t want to be relying on a code release to do that!
Try to fully understand the existing model and see if you can achieve what you need to without code changes. Security is a very important but tricky element and whilst you leverage the existing framework the Discourse team has got your back. If you change things you are at greater risk and on your own.
Also bear in mind your plugin changes need to be robust to the evolution of core. Overrides need to be written in such a way that they are most likely to continue to work as the original code morphs. This is a delicate balance and represents a maintenance overhead. Not being able to update your instance because your plugin would break is a security risk in itself.
In the end of the day, plugins are especially appropriate for more superficial, harmless changes but applying them to the security layer should only be done after serious consideration. There are exceptions though like the OAuth plugins which work with platform features that allow you to safely snap in new providers.
All that said, Good luck!