Thanks Jun. I think you are right that the group admin pages are lacking, but in this case I have verified that the fault really is in what's being done to the underlying tables.
For now, I'm going to abandon any reliance on the application_group stuff and scope my subsite by adding a package_id column to my data to distinguish which subsite it "belongs" to. It will be less flexible than using application_groups but a) I can understand it, and b) I'm not enough of an expert to fix the Subsite code.
This solution was recommended in this old AD thread (at the very bottom):
http://www.arsdigita.com/bboard/q-and-a-fetch-msg?msg%5fid=000KO5&topic%5fid=175&topic=ACS%20Design
It also points out the limitations of the package_id approach. Since there's no mention of application_groups, I'm assuming that this discussion came along before that notion was introduced. Especially because the application_group scheme (if properly implemented) could elegantly solve some of the context_id/permissions problems that are discussed there.
