Regarding your first scenario, this is by design. Even though users could belong in the same group within Paxata, there might be further ACL set on the SOR, so replicating groups set at the data source level to the imported dataset might expose data to users that do not otherwise have access to it.
The second scenario, after further review, we found some inconsistent behavior which needs to be addressed on our side. Your expectation is correct, answersets should inherit permissions from the project. Our development team is looking into it.