Oh, two additional points:
1. I'm well aware of how the permissions system works, and what it lets you do. The fact that I disagree with how it is currently (ab)used in the toolkit doesn't mean I don't understand how it works. You don't have to be brilliant to recognize stupid, and stupid is how it is used today.
2. The notion of scoping I propose doesn't reduce the flexibility one iota. Scoping "tom_admin" to "Tom's subsite" would allow you to use it exactly as you describe, it would only prevent you from assigning it to "Jerry's subsite", a *good* think since doing so would be a NOP anyway.
3. Your example of "tom_admin" more or less proves my point. You introduce this in your example because you want to introduce semantics that aren't provided by the handful of perms defined when acs-core is isntalled. As I mentioned above that's *exactly* the case when it makes sense to introduce a new perm. Introducing a new perm with exactly the same semantics as existing perms does nothing but clutter the name space.
But with scoping at least the clutter would be managable...