Specifically, how might one get an org portable Apex Unit Test User that DOES NOT have READ access to Accounts?
Creating a Test Permission Set that DOES NOT have READ access to ACCOUNTS and assigning it to a Test User is straight forward.
Keep in mind that Permission Sets are Additive. Therefore, we need a Profile that DOES NOT have READ access to Accounts to attach to our Test User.
It doesn’t seem to be possible to insert a new Test Profile via DML or update the Object(CRUD)/Field(FLS) of an existing Profile. Therefore, one must Test with an existing Standard Profile that is likely to be available in most, if not every, Org.
I cannot find any existing Standard Profile that DOES NOT have READ access to Accounts.
Unless you can create a special Profile, I don’t think this is possible. You might be able to use the metadata API to create a Profile that fits your qualifications, but that would need to be done outside of a test scenario, and sounds like it would violate your use case.