Lars, in response to your last paragraph: you only need one group, probably per mounted instance (for instance privileges), or per subsite (for subsite wide privs). But each grant 'write', 'read', 'admin' would need a separate rel_type (only three for an entire OACS installation). Checking for the membership type in a certain group would be the same as checking the permission to do an action. But I think having the 'write' membership on a news package would not imply I could change someone elses posting, that would be handled by direct permissions on the news object itself. But if a certain membership is required to access a page where administrative functions are available, you don't need to look at direct or indirect permissions on objects.
At any rate, if you can create a site which somehow knows the difference between data for one subsite and the next, it is obvious you can construct a unique proxy object, or group membership, hopefully automatically, that can be used to do what Dave suggests.
