The consensus seems to be that the inflexibility of groups make it
essential to bring ACLs into the NetBSD filesystem picture.

Is it totally unthinkable to extend in some - not necessarily
compatible - fashion the concept of "group" attached to a file
object such that it in fact represents a unique ACL?  If we assume
that groups and ACLs are mutually incompatible, we have no need to
layer anything, we just need a selector between one model and the
other.

The definition of "other" in this context may well be much more
difficult to establish, but it does not seem an insurmountable
problem (at least without scrutinising it with a security microscope).

How ACLs are managed and implemented becomes almost entirely a
user-level issue.  Not exactly POSIX-compliant, but it may well
suffice.

Just a tangential thought...

++L