Hi @jjohn – thank you. I pinged the Forge forum earlier this week, and @XavierCaron mentioned that they too were trying to escalate (What scopes are required to fetch a Confluence group by ID? - #2 by XavierCaron).
I can also confirm that the existing Connect conditions work with group IDs. Thanks!