Changing to wishlist because, while I understand the desire, the Group Application Permissions mechanism is specifically intended to restrict creation and modification of a user based on their Profile Group field.
I think either a secondary-group focused mechanism, or a separately permission-protected library setting (or, more realistically to reduce the complexity of the logic for the user, a global flag) that tells the system to treat secondary groups the same as the Profile Group, will be needed.
Changing to wishlist because, while I understand the desire, the Group Application Permissions mechanism is specifically intended to restrict creation and modification of a user based on their Profile Group field.
I think either a secondary-group focused mechanism, or a separately permission- protected library setting (or, more realistically to reduce the complexity of the logic for the user, a global flag) that tells the system to treat secondary groups the same as the Profile Group, will be needed.