I think we made a mistake exposing this "meta" LDAP admins group initially. IMO, it's a great feature is Cloudron admins and app admins can be in sync but the issue is that most apps don't support group sync and thus the admin status goes out of sync as well.
I think what might be great is something a little different:
When creating a group, we have a flag whether it is a LDAP group as well. This is only needed because I don't know how apps behave when groups come and go. Like if I shared with LDAP group in nextcloud and the group is deleted in Cloudron, not sure what happens.
Leave it to the user to maintain mapping and not automate group mapping setup in the package. This is the key part. By putting responsibility on the user, they need to have an understanding of the limitations. When we automated admins, we took the responsibility and couldn't keep up the promise.
This feature will help things like osTicket which relies on LDAP groups to setup agents and other roles.