So far I am not using any ACLs, but since I am getting a smart lock I want to secure the topic so that only one user can write to it.
After reading the documentation I am a bit confused though. Is it correct that if I add the acl_file directive to my .conf that I have to list every single topic for every user that that user should have access to?
Yes, if the acl_file directive is enabled in the Mosquitto configuration, every access rule (read, write, or readwrite) for each user must be explicitly listed in the ACL file, but you do not need to enumerate every topic for every user, only specify the topics you actually wish to secure or restrict.
But you can also use wildcards (#;+) so you do not need to configure them all by hand.