You can define permissions for groups in the collection settings for each collection individually. You don’t have to give global rights to user groups.
In the permissions tab you can set individual rules via PHP.
See this thread for some more explanations:
For granular user and read permissions, write your own rules in PHP. Some inspiration here: