I think you'd want to set the trace to run at startup and then log to a table in a database that very, very few people (and not the DBAs) have access to.

You can always log everything from group A, and then delete stuff that has application X in it if you need to. I'd set an alert on the trace stopping, perhaps even shutting down SQL Server if you need it. Not perfect, but it will work.