I previously reviewed version -09 of this draft and raised concerns regarding inconsistent terminology and the scope of the group definitions. The authors have significantly improved the document in version -10. 
All questions and issues I identified in my previous review were addressed or answered. Thanks to the authors for the rapid reaction!

The restructuring of the Terminology section and the clarification of the relationship between the generic "Endpoint Group" and its specific subtypes (User, Device, Application) has resolved the architectural ambiguity I previously noted. Furthermore, the added examples clarify that the defined RADIUS attribute (User-Access-Group-ID) is intended specifically for user-centric authentication scenarios, while other group types are provisioned differently. This distinction makes the attribute naming logical and clarify the indented use for the different group types.

The choice of 'group-id' being a string has been discussed on github and in the WG, so I don't see any issue with it.

Minor nits:
In the terminology section, there are leading spaces missing before the bullets "* device group:" and "* Application group:"