So I recently discovered 'access base share enum', which is supposed to simply make shares invisible to users that don't have the permissions required to access them anyway, and thought it would be nice to implement it in my workgroup. Unfortunately, after much fumbling about on google, freenode, and eventually crawling through Samba's source myself, I've determined the option only applies to domains, and not to workgroups. With some additional googling and some hints from Davidh2k, I've managed a working, though incomplete workaround. Per Davidh2k's request I'm sharing what I've come up with so that it may help others, and possibly be refined a bit
OMV GUI steps needed:
Make shares this will apply to "browsable = no"
Add an extra option to each share of "include = /etc/samba/.browseable/ShareName.%U.conf" (ShareName must match the samba share name exactly. I haven't figured out a way to automate this and it's not a terribly large burden to do manually imho)
The heart of the matter is a version of /usr/share/openmediavault/mkconf/samba.d/20shares which I gutted and repurposed to generate the include files for each share and valid user. The new file is 99smurfy in the same directory. It can be named pretty much anything, as long as it's valid to run-parts, because it doesn't touch smb.conf in any manner anyway, so order doesn't matter.
It's ugly. It's not finished. My apologies. It does do its job though, save that it doesn't ensure deletion of files for users who have no permissions for the share (their usernames don't get passed into it). Deleting all of the files at the start of each pass is currently the only way I know of to do this properly, but I'm running on a crap USB stick and don't want excessive writes.