Depends on your use case / what apps you want to provide for your users. For best practice, I avoid the "Visible to all users on this Cloudron" option and remove all assigned groups from a user before deactivating the account.
In case of Nextcloud for example, Cloudron groups can be used within the app to give permissions to shares and features. Certain apps can also be configured to give every user that is able to log in a certain amount of permissions (like Nextcloud Auto Groups or specific role managment in Bookstack).
I have a "base" group (like <orgname>) giving normal access to apps like Matrix/Element, Nextcloud and Bockstack. Below that I have a group "<orgname>-internal" that give access to more specific apps like Freescout or Kimai. To go even further you can do <orgname>-<department> but for most apps you have to specify user permissions in addition. However it is useful to limit app access by Cloudron groups so users don't end up in a spot where they don't have permissions or no role to fulfill.