since version 1906 SCCM supports role-based access control (RBAC) for folders. This can be configured trough the SCCM console or (recommended) PowerShell.

unfortunattely the current version of the commandlet Get-CMObjectSecurityScope doesn’t support any folder as InputObject. so, if you want to know, which Security Scope is allowed to see a folder, you have to use this:

$PathName = 'LAB:\DeviceCollection\FolderName\SubFolder' 
$SiteCode = 'LAB'
$SiteServer = 'server.domain.net'

Import-Module "$($ENV:SMS_ADMIN_UI_PATH)\..\ConfigurationManager.psd1" -Scope Global -ErrorAction SilentlyContinue -WarningAction SilentlyContinue
New-PSDrive -Name $SiteCode -PSProvider CMSite -Root $SiteServer -Scope Global | Out-Null
Set-Location -Path "$( $SiteCode ):\"

$Folder = Get-Item $PathName 
Get-WmiObject -ComputerName $SiteServer -Namespace "root\sms\site_$( $SiteCode )" -Query "SELECT * FROM SMS_SecuredCategoryMembership WHERE ObjectKey = '$( $Folder.ContainerNodeID )'" | ForEach-Object { Get-CMSecurityScope -Id $_.CategoryID }

to add or remove any SecurityScopes to a Folder, you can use this build-in commandlets:

Add-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName
Remove-CMObjectSecurityScope -InputObject $Folder -Name $SecurityScopeName