My understanding of SQL security is somewhat limited, but I am trying to get a handle on it.

Yes, I think I would probably want to deny select on all objects. I think my next step will be to create a role where I will grant select access to this role on specific tables. Then grant the role to specific users. Make sense?