Personally I'm not a fan of even allowing someone any access to the report directory if they don't have sufficient rights for all the reports in the directory. For rights management of report data in reports, we use SSAS databases with appropriate segregation of ActiveDirectory roles for each database component (dimension, cube, etc.) to limit the data each AD role returns to the reports.

In summary, users either have access to a report directory and all reports within the directory, or none at all.