After discussions with and it was determined that it is not currently possible to determine which kylo users belong to which kylo group's using the security framework. This functionality could come in useful in a variety of use cases, the first concrete use case is notebook sharing.
In particular, the use case required by notebooks is a bit more in that I want to determine the effective list of users with access to an entity (project in this case). If a service method existed to get all users in a group, then I would get all principals with a given permission (access, edit, change_perms, etc.) and for all principles returned that are groups get the users and merge them into a unique set.