[BUG] App Id does not filter groups hierarchically

One of the key features of Entitlements V2 is that it handles groups and users hierarchically meaning permissions can be inherited down a tree.

Another key feature is that optionally an App Id can be assigned to a group and act as a mask meaning only requests that come from a specific application for that user can return that permission.

However the App Id mask does not act hierarchically, meaning if I assign an App Id to a parent group child groups can still be returned for that user out of context of the app. The desired behavior would be to mask all child groups associated with a parent group with an App Id mask to prevent possible leakage of data permissions not associated with that app.