The only problem is that the users did not have access to the root site, so the sub site did not appear in the Navigation Bar. I tried adding 'View Only' permissions at the end, but that undid all my good work.
The solution was a change of approach; give the users access to the site and remove access from the items they should not see.
Its always helpful to sharpen the saw.
$list = $web.Lists["MyList"]
$web.AllowUnsafeUpdates = $true
if ($list.HasUniqueRoleAssignments -eq $false)
$user = $web.EnsureUser("Domain\user")
$web.AllowUnsafeUpdates = $false