As you have found out there isn't a profile that can cover your requirement. Furthermore Dataiku profiles restrict functionality (what you can do) for licensing purposes but do not restrict where you can do it which is where user groups come into play. There is an intermediate profile called Explorer (Dataiku will exchange you 1x Data Scientist license for 10x Explorers) but even with additional project permissions this profile wouldn't have access to a lot of things like project settings, code environments, etc.
Therefore the ony way to achieve your requirement currently is to have a Data Scientist profile permissioned accordingly in all your projects, code environments, etc that you want them to access but without adding it to the Project Admin section nor the Admin security group. With regards to server settings is all or nothing I am afraid, as Dataiku does not provide a capability to review Administration settings in read only mode. Either you see them and can change them or you don't even see them.
"We have contemplated the idea of automatically assigning all DSS projects to a dedicated group to accommodate these "intermediate" administrators, but this approach seems somewhat convoluted".
>> I wouldn't call that convoluted and it's exactly what you need to do. This is a common pattern in permissioning access to resources where they get permissioned for high level groups that can manage them, view them them, etc.
Finally consider that any functionality that you can't access in read-only mode you can always create a Dataiku WebApp and expose it there. We created a WebApp to run Scenarios in our production Automation node for instance, so that we could permission users to run Scenarios without having permissions to modify the project (which is not currently possible to permission via standard privileges).
