Grant MODIFY on "All Subfolders and Files" with icacls, but only give Read to top level folder

Change the first line of your script to the following to have it apply only to subfolders and files.

icacls.exe $folder /grant "$domain\$user:(OI)(CI)(IO)(M)"

Then apply this to the top folder.

icacls.exe $folder /grant "$domain\$user:(R)"