I think my way is easier, but I wouldn't be my house on it.
For my method, when a user upgrades, you just have to add them to the new group(s) and probably remove them from their current group (it won't hurt to leave them there, but you might want to, for example, email all members of a particular group or do something else with them).
You have a point about DefaultResourceGroup (though you gain DefaultUserGroup to put everyone in group 1). You can certainly have three separate resource groups with no overlap, but it will double the number of ACL entries you need and that might slow things down a little when they're evaluated.
The problem you're describing shouldn't happen (unless I've got something wrong).
Connecting the group 2 resources to the group 2 user group should protect those resources from anyone who is not in group 2, unless they're granted access elsewhere. The same should be true of group 3.
As long as the group 1 users only have an ACL entry connecting them to the LowAccess resources, they shouldn't be able to see the group 2 or 3 resources.
-- Be sure you flush both permissions and sessions before testing.
-- Always test from another browser where you're not logged in to the Manager.
-- Make sure you got rid of your previous ACL entries,