Some really excellent stuff here which has clarified a number of issues - Kudos to all!
One suggestion would be to add some examples of fine grained claims authorisation in SP. The examples show some coarse grained claims authorisation based on groups.
I’m thinking more along the lines of users with different claims (roles) seeing “different” SP pages e.g. all users can access the page but some "parts" of the page are not visible for some roles.
There are many examples of this for ASP.NET but next to nothing for SP.