Hi Lars,
I have a similar system already up and running since 4.5 beta. I have this problem too. I have posted this issue on the bboard and the consensus was from what I remeber is to have the ability where to inherit from. The default is to inherit from the "Main Site". So a UI to have a choice which context_id to use was where the dicussion ended up.
I use this SQL to fix up the permission that I need.
update acs_objects set context_id = '[object_id of new subsite]' where object_id = '[object_id of file storage]' or object_id = '[object_id of bboard]' or object_id = '[object_id of tt-lite]';
My setup is
/clientsite
/bboard
/file-storage
/tt-lite
I then add the user to the "clientsite parties" from groups table. Using select membership_rel__new('[group_id]','[user_id]');