Lawrence, this is what I normally tell people in training about setting up this permission
In the Roles app > select the Role (ex: MarketingEditors) > go to Permission tab, select module > Content. Here, you should only give the role the basic permission like Browse Tree and Read. With this basic permission setup, editor in that role can browse the whole content tree, but cannot edit any page.
Then go to the parent page of a section, go to Properties > Security. Break permission inheritance, add the role you want to edit that section. Then give that role the permission to modify, add, edit, delete (maybe not destroy). Now editor in that role will only be able to edit that section.
So the basic rule is: in the role module permission, give minimum permissions. Then assign more on the Page permission level.