Thank you for the links - I have had a look at them, but I am afraid they do not describe what to do with the Closed User Group concept where authors want to create a new user group for specific members (not for communities) and use this user group as a restriction on some pages.
How can we combine CUG concepts (that seem to be designed for Published users or Reverse Replication) with Communities (which rely on User Sync)?
Through experimenting, I can see that the tunnel service allows Authors to see and manage users and groups on Publishers regardless of whether these are stored under /communities/ folder.
However, Authors cannot create users or groups in different folders, and cannot really create CUG entities that are not related to Communities.
I find it a bit confusing that Authors can see and manage these user types but not create them - and I still don't understand how to mix CUG sites and Community Sites (and to use User Synchronization vs. Reverse Replication).