Just for kicks, for one project, I removed the app-specific permissions from the news module and replaced them with their system-wide counterparts. In other words, news-admin -> admin, news-create -> create, news-read -> read, etc, etc.
I then gave the "client_admin" group explicit "admin" permission for a particular news instance. As expected, the "admin" permission only applied to that news site-node, and did not extend to other parts of the site. Very clean and simple.
It worked great, and I haven't noticed any side-effects. And in general I tend to agree that app-specific permissions should be avoided wherever possible.
