OpenACS, being based on ACS, doesn't use the AOLserver user and group permission system directly, at least, to control access to content sections.
ACS (both Classic and Open) has its own permissions model, which at the moment is unfortunately incomplete and inconsistent between ACS modules.
aD is putting a great deal of effort into improving the modularization of the toolkit, which will also mean improving the granularity of permissions (at least, it had better, from our point of view!)
We (OpenACS) are in the position of being "faithful porters" of ACS Classic, and for better or worse this means porting warts and all, and you've identified a wart (one known to many of us, I'm afraid). We feel the "faithful porter" approach, over the long term, is more valuable than trying to fix myriad specific problems, because aD has over 100 employees at this point and are working hard to re-engineer some of the basic toolkit technology.
Hope this helps ...