I don't understand the design of the plugin.
If I own the 'Administer Groups' permission, I'm able to get all capabilities I want. Thus I can break out. So why did you implemented the permission 'Administer Groups plugin options'?
It would be nice to have a plugin which provides a post access management without such security issues. In my opinion you should remove the whole capability management code because other plugins like 'User Role Editor' do it better anyway. That's the KISS principle. :D
Another problem I found: why do you differentiate between normal cap's and 'read access enforce' cap's? And why can I set the latter at the meta box and the option screen but not at the capability management screens?