That's actually a situation I hadn't anticipated. You're coming at access permissions from the opposite approach of most WordPress sites--"deny all but allow these" instead of "allow all but deny these." Right now, Gatekeeper's black list prioritizes the black list (presuming anything on that list is ultimately bad and overriding the white list if an IP matches both) and blocks those IP addresses.
Your approach is intriguing and I can see it being useful. For ultimate security, I'd still recommend relying on .htaccess since it's closer to the server and less prone to quirks in PHP, WordPress, Gatekeeper, etc.
Let me give this some thought on how I might be able to best implement what you're asking. Most likely it would be an option of "whitelist priority" vs "blacklist priority." I can't promise a quick update, but I like the idea and it'll probably be something I push in the next update. If you have suggestions, please pass them along.