Here's the documentation in case you hadn't found it: Security in Odoo. Specifically, see below:

Global rules versus group rules

There is a large difference between global and group rules in how they compose and combine:

• Global rules intersect, if two global rules apply then both must be satisfied for the access to be granted, this means adding global rules always restricts access further.
• Group rules unify, if two group rules apply then either can be satisfied for the access to be granted. This means adding group rules can expand access, but not beyond the bounds defined by global rules.
• The global and group rulesets intersect, which means the first group rule being added to a given global ruleset will restrict access.

So your option 1 is closest to reality. Option 2 is incorrect since global and group rules intersect, which means they narrow access, not widen it. Option 3 is incorrect since global rules always apply.

In essence, global rules are always applied and group rules can specify them even more.