The RBAC for User Groups is extremely limiting. There only exists permissions for "View" and "Manage", but that "Manage" permission is doing a lot of heavy lifting. Granting the "Manage" permission for User Groups means the role is allowed to:

Create / Delete User Groups

Add / Remove users from the User Group (assuming not a SAML linked group)

Manage role bindings for the User Group

Manage notification preferences for the User Group

The use case is that users able to update Notification Preferences for their user groups (specifically managing email distribution groups), but they should not be allowed to create or delete groups, update role bindings, or add/remove users from a group.