Question about fanotify behavior: if 2 or more processes monitor the same file
 

For example, if I want to block some process to access a directory /path/to/dir, I used following marks:
FAN_ACCESS_PERM | FAN_EVENT_ON_CHILD | FAN_OPEN_PERM
But my question is if the attacker wants to access files under that dir, and created a program to use fanotify to monitor the same dir, and runs that program to grant permission to his attacking program, it seems his fanotify program could do that even when the right program wants to prohibit the attacking program to access the files under the protected dir.
Is my understanding about the fanotify not right? Or anyone knows the right way to block root process to access a dir?