They maintain their own kernel module to handle ACLs (synoacl_vfs) and they are indeed enforced locally as well. They can be read and modified by using the `synoacltool` cli.

  $ synoacltool -get .config
  ACL version: 1 
  Archive: is_inherit,is_support_ACL 
  Owner: [semiotic(user)] 
  --------------------- 
   [0] user:semiotic:allow:rwxp-DaARWc--:fd-- (level:1)
   [1] group:users:allow:r-x---a-R-c--:fd-- (level:1)

Is that kernel module open source? One of the advantages of what TrueNAS did is that I can patch it into my own kernels if I'd need to. Plus being compatible to the NFSv4 ACL binary format, so it works via NFS too. Also handling Active Directory would be important there.

Not sure about the module being open-source, but running custom kernels is not really a thing on Synology. They seem to integrate SoC BSPs into kernels for each specific model, and they do not seem to port them across versions. Different models use different kernel versions in the same DSM (Synology distro) version.

The ACLs do work via NFS and it also works with Active Directory. They ship an AD implementation too, if you are interested in that (it is actually Samba in AD mode).

Well, TrueNAS Scale isn't exactly designed to be run on a SoC, it's more of a normal linux distro for NAS/SAN Servers. Hence most of it is open source and there is active upstreaming efforts. Plus the entire ACL thing is native to ZFS already, it's just the glue layer that's missing in Linux. For Linux it's presented in an XAttr for compatibility, for Solaris it's part of the proper permission bit fields.