Portal security is based on user not item. The way items are shared within organizations is then more dynamic instead of static hierarchy.
To accomplish what you are asking for may require an org restructure of your portal. The creation of specific groups and roles that define what each individual or groups of individuals can do with items shared to the groups of which they are a part. It is possible, for instance, to share an item to a singular group whom's members can only view (or other capabilities to your discretion the individual or group level) and not share the content from that group. This would be your "category 3" use case.
Basing security on identity allows portal to integrate with other identity based security systems such as Active Directory, and fundamentally allows for higher levels of customized security that much of our user base require. It is possible that in the future some itemized security might be introduced, but as it stands now this doesn't exist in the way you've described it.
I really hope this helps.