Hello Thierry
From a technical standpoint, if the choice was between those two, using ACLs would be a better choice. The purpose of ACLs is to filter traffic, and you can most effectively control what traffic you allow and what traffic you disallow using them. Routing is more cumbersome to use as a filtering mechanism, and it is not nearly as powerful. Needless to say, routing has a whole different purpose, and should not be used in such a fashion, as it could cause unintentional and unpredictable changes to traffic patterns.
IPSec VTI, and VPN technologies in general, are features that are best used when you have control over both the spokes and the hub devices. If you don’t, it’s still doable, but there are more administrative issues involved. If you are an organization that wants to offer customers secure access to your internal resources, the most appropriate technology to use is MPLS L3 VPN. It would provide you with the most scalable solution, and provide you with the tools necessary to achieve both security and routing among remote sites. You can find out more about that at the following lesson:
I hope this has been helpful!
Laz