as @davimacedo said before, and the visualisation shows pretty nicely in the link I shared before, each one acts as a level of denier, it doesn’t overwrite the deny of the other:
Does your object have a field to the user direclty? Like I showed before with the author? Then you could configure the class-level to allow for the value of said field and the admin-role and have the ACL for each row as public-read-write-allowed-ACL. The class level permissions would then prevent any non-admin user-not-the-field to see them, even though they are, on the individual level, not restricted.