We mulled over these same issues at ProofHQ (ProofHQ is a collaborative review and approval app for documents, design and artwork). How do we let people distribute proofs to their reviewers without having to recreate groups from other apps all over again?

We have developed the following layers:
1. Private, not distributed. Only available to people in the creator’s organisation with appropriate security rights.
2. Distribution based on email ID. Only named recipients can access the files. we will be adding a Groups feature to this shortly.
3. Controlled distribution by embedding the proof in private wikis, web pages, intranets, etc.
4. Public distribution in public web pages, blogs, etc.

We are seeing a lot of take up with the third option, which lets people embed their proofs into existing “private” web pages. By default the proof is only available to people with permission to see those web pages. This brings ProofHQ into their existing process rather than forcing the creation of yet another set of permissions.