Active Directory Security Groups are use to give permission to a user / computer to another resource.
Here the different group type:
AD Local Groups:
This group can have members from it's own domain or any trusted domain
AD Global Groups:
This group can have members only from it's own domain. It could be a user / computer or a global group from it's own domain
AD Universal Groups:
Tis group can have members from it's own domain or any trusted domain. But compare to AD Local Groups, the Universal groups can be member of any AD local groups / AD Universal groups of other trusted domains
If you plan to have more than 1 domain in your forest or you plan to have trusts with other domains / forests. Then it's important to have a good security model for your AD groups.
In the other hands, if you think that you will never have a trust with another domain, the type of groups does not change anything.
Microsoft approach on the group management is ADGLP (or UGLP)
Accounts into globals, Globals into Domain Locals, assign Permissions
So Users should be member of a Global Group, The Global Group member of a Local Group and you assign permissions using the Local Group.
One thing you have to remember before thinking at a massive security model implementation --> Read the KB Article KB327825
A user or a computer cannot be member of more than ±1015 groups (nested groups counts in...)
If you broke this limit, you cannot log into your computer... final ;)
Another thing is the Token bloat. Which is not very common today because of the SID compression. But still accurate if you still have Windows 2008 R2 DC's and lower.
hth