In order to understand the exclude function, the first thing to consider is that security manager uses an additive permission model for object groups.
Given a case where you want to grant users to all objects beginning with "S". This could easily be done with the following object group definition:
One thing to consider that this would also grant access to SYSTEM objects so you can exclude these from this group. This can be done by adding that as an exclude for system.
This group now grants access to all objects that start with S but excluding system objects as shown in the usage below.
A common misconception is that you can create a group called NotSystem to remove these from viewing. That is, something like this:
And assigning it with a group that has all things starting with S or to the * group
These methods do not work because the rights to the objects have already been added by another group and these new groups can only add permissions not take them away. The key restriction is that Exclude is only valid within the group it is defined in. The "NotSystem" is technically a null group, since it does not include anything to exclude from.
In Summary, Exclude works to remove objects from inclusion is the current object group but does not affect the permissions granted to objects in other groups. This can be seen in the diagram below, each groups is additive to create the resulting permission set.