Specifically, how might one get an org portable Apex Unit Test User that DOES NOT have READ access to Accounts?

Creating a Test Permission Set that DOES NOT have READ access to ACCOUNTS and assigning it to a Test User is straight forward.

Keep in mind that Permission Sets are Additive. Therefore, we need a Profile that DOES NOT have READ access to Accounts to attach to our Test User.

It doesn't seem to be possible to insert a new Test Profile via DML or update the Object(CRUD)/Field(FLS) of an existing Profile. Therefore, one must Test with an existing Standard Profile that is likely to be available in most, if not every, Org.

I cannot find any existing Standard Profile that DOES NOT have READ access to Accounts.

Attribution to: mjgallag

Possible Suggestion/Solution #1

Unless you can create a special Profile, I don't think this is possible. You might be able to use the metadata API to create a Profile that fits your qualifications, but that would need to be done outside of a test scenario, and sounds like it would violate your use case.

Attribution to: Jeremy Nottingham

Possible Suggestion/Solution #2

Workaround

I found this query to be about as org portable as you can get at this point, since it doesn't rely on hardcoding a Profile Name. If there is a Profile in the org that doesn't have Read Access to Accounts it will find it. Note, that setting Profile User Type to Standard eliminates things like Portal Profiles, which have a dependency on having an active Portal, and Chatter Only Profiles, which you aren't able to add Account Read Access to.

SELECT Profile.Id
FROM PermissionSet
WHERE IsOwnedByProfile = true
AND Profile.UserType = 'Standard'
AND Id NOT IN (SELECT ParentId
               FROM ObjectPermissions
               WHERE SObjectType = 'Account'
               AND PermissionsRead = true)
LIMIT 1

Attribution to: mjgallag
This content is remixed from stackoverflow or stackexchange. Please visit https://salesforce.stackexchange.com/questions/1367