Calling Deny prevents access to the resource specified by the denied permission. If your code calls Deny and a downstream caller subsequently invokes a security check for the permission that you denied, the security check will fail, even if all callers have permission to access that resource.
For example, suppose callers A, B, and C have been granted a permission called P1. Then caller A creates an instance of the P1 class, and then calls P1's Deny method to ensure that A cannot be used to access the resource protected by P1. Next, A calls B, which calls C. Caller C directly accesses the resource that P1 protects, so it invokes a security check for P1 by calling P1's Demand method. The runtime checks the permissions of method B, and because B has been granted P1, it goes on to examine method A. But because method A denies P1, the security check invoked by method C fails at that point, and a SecurityException is thrown. It doesn't matter whether method A and its callers (if there are any) have been granted P1 – the security check still fails.
You can use calls to Deny in your code to protect yourself from liability because denials make it impossible for your code to be used to access the denied resource. However, the call to Deny does not block future security assertions by downstream callers.