At the time i cant reach the sales team and since i am only a dev i cant say for sure that our workflow is unchangeable.
About your alternative. I would have to add a LogicHook for each module my Security Group has access to and i would have to make code changes if permission for security group A get expanded. I probably have to override the assign to functionality. i need to check if i can implement that without breaking update safety.