Update (4/12/23): This feature was enabled in our worldwide and 21Vianet clouds in November 2022. All tenants in these clouds will see the changes. Rollout to our GCCH and DoD clouds has been paused ...
Updated Apr 12, 2023
Version 11.0
Blog Post
FYI I did figure out the answer to the SID question. Exchange Online runs/ties together with a 'custom' version of Active Directory (no this isn't the Azure AD you use in the cloud, which doesn't have OUs, etc.). Afterall MS has to run Exchange and exchange needs a domain. i think the domain is randomidentifier.prod.outlook.com. the SID is actually from that domain I believe. This is why you have an on prem SID, then there's a different SID on it via graph, and a third SID for the same object in Exchange, because the domains are all different. Figured it was worth sharing as that could be helpful. Also that means you can use it with Exchange commands to resolve security principals
For example. if you wanted to know exactly what group that SID was, and like me, fullaccess permissions only shows a display name, you could take that SID and feed it as a filter into get-group:
Get-Group -Filter "Sid -eq 'SIDhere'"
That would resolve to an object you could use that would have all the identifying info you would want, so that's helpful to know.