At a high-level, Permission/Security groups are the way to manage these relations. I'm not sure exactly how else to answer your question, but it seems like you are on the right path?
Access in a space is controlled at the Content Type level, for example you could set a security group to have View access to Documents and Create access for Discussions, and no access to Blog posts. So you can't, to your question, give a security group access to items based on the content of those items; for example you can't set it so that Product Owners can only see content with the tag "Product Owner". Or, to put another way, you can't control access at the content level, just at the content type level.