At the moment this is how the hierarchy works if a user is in more than one security group...

When the user is placed into multiple security groups, the rights are combined.......The exceptions to this rule are Gift Security by Fund, Security by Notepad Type, Action Security by Type, and the "Restrict access from selected constituent codes" option in Security by Constituency in The Raiser’s Edge 7. With these options, the most restrictive applies. 

See: https://kb.blackbaud.com/articles/Article/46503

The "exceptions to this rule" are the issue. If the rule was a blanket - user gets the higher rights then that would be easier but at the moment the user gets higher rights on everything except for a few things where they get the lowest rights - not sensible.

I now have to go and create a few new security groups to cope with this anomaly.