Uh, yeah. I saw the exchange you mention...
I have not been dealing with app groups directly unless I have to. I use the subsite as a container, along with its application group that gets created when a subsite is instantiated. I use the apm to do the instantiation. I then supplement the subsite app group with additional segments to create more roles, assign rights to the segments, and then add rels in a particular role. See the "howto" thread (http://openacs.org/forums/message-view?message_id=116231) for details.
When I located the bug mentioned in this thread, I was using the apm to destroy a subsite after destruction of all child site nodes. If you really want to do the app group stuff yourself, do it with the apm first and look at the log to see how/when the permissions are deallocated. I use the toolkit's magic whenever I can.