Using tree_root_id is quick and easy. I should have mentioned it. It's not secure, though since a user can edit any resource if they enter the URL for it manually in the Manager. It would be pretty easy, with trial and error, for them to find and potentially edit every page on the site. If all your users are completely trustworthy, this may not matter.
As you found, connecting the user's group and the resource's group does nothing at all other than protecting the resources from people outside that user group. This is the expected behavior.
If you re-read my original post, you'll see that non-article docs are only protected when in a resource group that's connected to a user group *the user is not a member of*. That's why Susan and I both mentioned putting all other resources in a resource group and connecting that RG to the Administrator User Group. That actually protects them from users outside the group.
You can automatically add all new resources to that protected group with the DefaultResourceGroup plugin.