How denied capabilities work
Suppose the Super role is granted these capabilities:
edit_posts
Then, suppose the Duper role is granted these capabilities:
publish_postsedit_products
Now, further suppose User A has the Super role because you want them to edit posts. However, you also want User A to be able to edit products so you assign them the Duper role. Suddenly, User A is granted the following capabilities:
edit_postspublish_postsedit_products
For whatever reason you don’t ever want users with the Super role to be able to publish posts. Now you have a problem. One way to solve this is to create a third role with just the caps that you want and give that single role to User A. However, that becomes cumbersome on larger sites with many roles.
Instead, you could explicitly deny the publish posts capability to the Super role. When you do that, User A is only granted the following capabilities:
edit_postsedit_products
And is denied the following capabilities:
publish_posts