Since there was never any scalabilty testing, we were told to make all the packages have their own permissions. That is why acs-reference (for one) have outdated permissioning.
I should probably change that now that deleting things from objects, permissions et al works (which it didn't used to so I left it there).
And yes you are right about wanting to assign someone say news admin but not site admin. I am not sure that is still the right way to do it as you can just create a group and assign the group admin on that instance of the package.