Kenneth Fisher goes over grant, revoke, and deny for permissions:
This means that MyUser can not run a SELECT statement against any table, view or table valued function in the database.
That probably doesn’t sound like you are applying a permission does it? And that is probably where a lot of the confusion comes in. If, however, we take a look at the system views where the data resides then we can see proof that both commands, GRANT and DENY, add a permission.
Particularly interesting is exactly how the deny permission works—and that “deny” is in fact a “permission” in that you modify a permissions list.