Maybe I'm missing something on 2. here but wouldn't it be possible to use an intersect on the membership permission to enforce the membership in the organization the group belongs to? Cooked up an example here: https://play.authzed.com/s/lvVVPgFlV0FE/schema