I believe this can be done - the ACL framework is highly granular in the possible set of permissions you can make up more coarse permission sets with, for example:
<permissionGroup name="Read" expose="true" allowFullControl="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadContent"/>
</permissionGroup>
So I assume you can create a new permission similar to 'Read' but which has 'ReadProperties' and does not have 'ReadContent'. So something like:
<permissionGroup name="CustomRead" expose="true" allowFullControl="false">
<includePermissionGroup type="sys:base" permissionGroup="ReadProperties"/>
<includePermissionGroup type="sys:base" permissionGroup="ReadChildren"/>
</permissionGroup>
Hope this helps,Kevin
