maybe not the advice you expect but we already implemented something like you describe available as a commercial Alfresco Moulde: ecm4u SmartPermissions
If you add the SmartPermission aspect, the permissions defined for the space the secondary assocs is stored in will be added/inherited . An icon and hint will visualize the smartPermissions to show the user that the file inherits permissions from somewhere else.
We combine this often with our ecm4u Filing module (define names, filing locations, secondaries by rules, templates and metadata) and ecm4u SmartLinks which adds UI support and fixes issues for secondaries on fileserver access.
@afaust: Use case is easy to describe: Multifiling, file plans without the hassle of explicit ACLs.
If you e.g. save a suppliers invoice in the accounting structure which is only accessable by the accounting team, you could add a secondary assoc in the projects or departments space and everybody having access to the secondary space now may read the document.