For automatically adding a field to new doctypes, I believe you could just add normal on_insert or on_save lifecycle hooks to the DocType definition.
I’m not aware of any way to run arbitrary logic every time a document is read, and if such a thing were added you’d have to be careful about performance bottlenecks. Read is assumed to be a computationally “cheap” process. It might be possible to do this using Virtual Fields, but in any case it’s probably better to find a solution that doesn’t require schema changes on every read.
For catching all updates to the database, hooks.py allows you to attach a CRUD method to all doctypes using "*" (see here). With this, it’s fairly straightforward to run logic on all before_save events, etc., before anything gets updated in the database.
If you’re storing this data in a field, there’s no need to do anything special to make it available to client api methods. It will be there automatically.
(Friendly addition to the above: I’m skeptical that adding a new field to all docs is the right way to get group permissions. Wouldn’t extending extending the existing User Permissions mechanism to use group definitions be easier and cleaner?)
Edit: forgot that hooks.py allows "*" on doc_events