Grant access to path without its subfolders

Hello there,
I have a kv version2 engine “ServiceDesk” and inside it subfolder “SDLead”. I would like a policy for SD Operators with read access to this engine path except the SDLead subfolder or any other subfolder there (they will have different policy). My policy should therefore look somehow like this:

path "ServiceDesk/data/" {
    capabilities = ["read", "list"]

but I’m still getting missing permissions error. Is there a way to grant permissions to ServiceDesk/* secrets only (without naming them all using ServiceDesk/secret1, ServiceDesk/secret2, etc.) but exclude subfolder paths (e.g. ServiceDesk/SDLead/)?
My best ideas so far are to move all these secrets to new subfolder and grant read permissions on ServiceDesk/Subfolder/* or rename all secrets to start with, lets say, “1” prefix and then grant read to path ServiceDesk/1*.