It depends on what you want to do with Acl. What you have looked at in Croogo or Alaxos Acl plugin (my plugin by the way) is the use of Acl to allow/deny access to some actions.
This is achieved by the use of the AuthComponent and AclComponent together. When doing this, if you look at the Cake code, the permission check is done in the DbAcl class in the following method:

function check($aro, $aco, $action = "*")

which takes potentially three arguments.

The call to this function is done by the ActionsAuthorize class in the authorize() function at the following line:

return $Acl->check($user, $this->action($request));

which is obviously a call without the third argument.

So basically what is this third argument ? It is the way to take care of the _xxx fields of the aros_acos datatable. So all together this means that the Auth+Acl components do not use these _xxx fields to check permissions.
Well actually they are used, but differently: when the third argument is not used, all fields set to 1 means allowed, and if one or more fields are set to -1, it means denied.
Personally for the Alaxos Acl plugin, I choosed to set all these fields to -1 for a deny, just for more clarity.

Regarding your application, if its ‘features’ are mapped to actions, you could probably just forget these _xxx fields and use the core Auth+Acl mechanism.

About your last question (owner edit and delete), it is a frequently asked question with Cake ACL.
The answer is most of the time that it is simpler to compare the Object.user_id and the logged user id to decide if a user can edit/delete a record. Cake ACL does not support record’s owners out of the box.