Not entirely sure I follow you, but it seems like you are over-thinking this.
You can definitely assign different privileges to the same "role" (= AD group) in different files. So one AD group can have "read/write/delete" rights in one file an d only have "read" rights in another file.
From your description: it is not the Account that decides what a user can do, it is the priv set assigned to that account. So while the same account can exist in multiple files, it does not mean it has to have the same priv set (=rights) in each file.
Yes, I know that different AD groups can be assigned to different privilege sets in different solutions.
What I specifically would like to do, though it appears that there is not a way to do this, is have one solution where a variety of users log in using their own AD credentials, have that solution use a different solution as an external datasource, and use a FileMaker-native account for solution 1 to access solution 2.
As I mentioned, it's essentially mirroring how we use ESS data sources, where access credentials can be included in the system DSN.
It seems that the only way to do this is to use ODBC, which I don't want to do for a FileMaker external data source.