There are more solutions, but if you want to do it with revoking access in permissions you can do it this way.
Working sample process: test4eyesPrincipleRevokeAuth.bpmn (7.1 KB)
The result is whichever user completes the “Task A”, will not see the “Task B” in the tasklist, even he has the needed authorization set up by the group, but the “user” authorization is “stronger” than the group authorization.