You probably noticed that besides "well-known group" and "group" in the output of whoami /all command, there is also another type called "alias". There was much result in googling to tell what this exactly is.
After much searching, find this document: SAM Remote Protocol - not that kind of doc you'd think of for the question we have above. Anyhow, even info in this doc is obscure:
alias object: See resource group
then:
resource group: A group object whose membership is added to the authorization context only if the server receiving the context is a member of the same domain as the resource group.
Translation:
An alias is a domain local group from same domain as the resource server where it receives the context