What's the primary group SID in a NFTS file's security descriptor used
for? Is it only used in case some of the inherited ACEs specify a
trustee SID of CREATOR GROUP? (I.e. mostly useless?)

The owner SID apparently gives that owner right to change the DACL,
regardless of whether the owner is in matched by any ACE?

--tml