How do ACL resources in etc/acl.xml actually gate admin access?

An ACL resource is just a string ID like Vendor_Module::manage_widgets. You declare it in etc/acl.xml under the Magento_Backend::admin tree, then reference it in three places: (1) etc/adminhtml/menu.xml — the resource attribute hides the menu item from users without the role; (2) the controller's _isAllowed() method — gates the page itself; (3) etc/adminhtml/system.xml — gates config sections. ACL is permission-only — it doesn't authenticate, it doesn't audit, it just answers yes/no. Always implement _isAllowed(); menu hiding is cosmetic, anyone with the URL can hit the controller without it.