Okay. Good luck! Let us know if you figure it out. I should have looked at your profile before, but it looks as if you are connected to a partner and have some pretty deep experience yourself, in which case I'm hopeful that you will be able to tap the right experts. For my own part, I'll sheepishly admit that everything I thought I knew about roles, permissions, and contexts has been slightly turned on its head in recent versions, and I learned the lesson I outlined in #2 myself the hard way trying to make a role do too many things in too many contexts.
I ended up separating out the roles to work in the contexts and then going back and assigning the roles to the people who needed the permissions bumps in the contexts in which they needed them. It isn't a strategy that is super-sustainable if one is needing to do this for hundreds of users at a time, but it worked for my short-term needs for the window when I needed SOMETHING to work to allow these few users specific access to specific places while locking them out of other places.
I had already started pounding out a draft detailing the solution, so I'm attaching it in case it is still useful. Plus, I'd really like to know if others have better solutions to this common need. Thanks!