A partial solution to the publishing workflow could be to use the intranet/extranet workflow. Then someone can internally publish an item and it becomes available for members, but is still protected from anonymous access. You basically create an 'intranet/member' group. But it doesn't scale.
The second challenge is when you have multiple 'dynamic' groups, where content in the group should only be visible to group members and you have many groups. The only solution I have seen so far that scales without you having to create extra workflow states for each security group is collective.workspace. This add'on was also the basis for the workgroup support in PloneIntranet/Quaive.
collective.workspace creates local rosters for each group where it's members have their own 'local' permissions on the group content inside the group folder. It had some performance issues 5> years ago but these were solved in version 1.2.
[edit/add] Off course you can create custom solutions where you can check for group membership an show/hide things, but collective.workspace is the only abstraction that 'maps' cleanly onto the default permission/role system IMHO.