ALL your members (including Admins, Moderators, Paid Users etc) should be a part of ONE primary group.
Then, secondary groups can be created. The primary group is where the main permissions are pulled - so on any secondary group the permission "Not Set (No)" automatically pulls the permission data from the primary usergroup.
Primary - Can Post (Yes)
Secondary 01 - Can Post (Not Set - No)
The secondary 01 group will pull the permission from Primary.
In case you set "Never" - any user of that group will NEVER be able to that particular action.
Primary - Can Start Personal Conversations (Yes)
Secondary 02 - Can Start Personal Conversations (Never)
Members who are part of the additional/secondary 02 group will NEVER be able to start a conversation until you remove them from that group.
So you don't need to set individual permissions for each group. Set the basic set of permissions for the primary group and give/take additional permissions from secondary groups. If you set any permission as "Not Set (No)" for the primary group, you can override it for any secondary group by explicitly giving it the permission "Yes"
If you have existing users who have a recurring subscription, I believe they have to cancel, then re sign up for that subscription, as it won't likely move over, despite the integrated paid memberships. Correct me if I am wrong.