Hmm.. as I thought -
Adding a section (Business_section) and assigning a subtree to this, then setting the role to:
user all functions No limitations content read Section( Business_section )
Still gives me the same result - i.e. the user is only authorised to the sub-tree 'sub3' and not to the main page 'home', and the main page is not a subtree itself that I can add to anywhere (either a role directly or via a section) :(
Ah - some more playing about and I think I'm close to a solution:
The breakthrough was noticing an UpArrow icon on one of the screens!
When you add a subtree (or a single node even) the system shows you the main set of subtrees automatically. However, I've now noticed that you can use an uparrow icon (top left, above the 10,25,50 figures). This allows you to move above the subtrees and back to the top level node (Home in my case).
I can then select this and authorise just the Home node to the policy plus the subtree(s) of my choice.
I've now got the policy looking like this:
user all functions No limitations
content read Node( Home )
content read Subtree( sub3 )
And this seems to fix my problem. :)