What is your business use case for wanting to allow HR agents to see reports on all HR cases, but not see the actual cases?  I would caution against this strict of read security on your HR Cases.  OOB, all HR agents (those with sn_hr_core.basic role) can read/write to all cases, with exception of Employee Relations and Lifecycle Events cases that have separate roles.  This allows for collaboration and reassignment (i.e., escalation/transfers) to other groups or individuals within HR.  This could be key for when someone is going to be out of the office, but still has open cases and/or if they need to involve another party like an HRBP or team lead to help.  You really need to think through use cases and future use (e.g, if only agents opening cases and not employees today, that may not be the case a year from now) before overriding security to that level.  When you've thought through the scenarios, I'd then recommend using COE Security Configuration and not directly updating ACLs instead of HR Case security.  You can configure for all services on the COE table or specific ones, and add additional conditions like the particular group(s) that can read and write to the case based on location to keep compliant or if the assignment group is one of my groups, so you can always access if assigned to your group.

OOB, all HR agents have access to read Interactions, so you should not have to update anything for that.