1) Yes, then the service has write access to the PI Server but the service does not write data to PI. However, using the piadmin useraccount in PI Server is not recommended.
2) Any AD group that requires access to the PI tags and data should have a mapping to a PI identity/user/group that allows to access the PI tags. If you only need read access for a number of PI groups, you can create a single identity that has access to the PI data and create a mapping for each AD group to that identity
3) The individual receives the access that is granted through the AD group to the mapping to the PI identity to the PI Point authorisations.Assuming kerberos in place, it's always the individual user being passed to the PI server. The PI server then checks the group memberships, mappings and authorisations.
It's a fine-grained model, so yes, design of security requires a mix of knowledge of both windows and PI security principles.
Hope this helps!
That should help alleviate some of the security concerns.