I have user A, belonging to group A and B.
I would like user A to run a command by using group B, so I simply run “sg B [command]”.
But when I run the command as group B, it can change the group back to A like this:
sg B 'sg A command'.
Specifically I want to prevent a specific program to access the Internet, which the iptables rule is reject data in group “nointernet”, but if this program runs sg to change the group again, it can access the Internet! E.G.
How should I proceed?
Welcome to Manjaro!
You have an XY Problem: If you want to limit an existing application, use the right tool for the job and in this case that’s apparmor, so:
Let’s suppose you have an application PhoneHome that you don’t want to… well… phone home! 
Create a profile for your application:
sudo aa-genprof /opt/PhoneHome/PhoneHome
This will create an apparmor profile in /etc/apparmor.d/ for PhoneHome
Now you execute your application normally, do everything you need to do it it and all your actions will be logged by aa-genprof.
When you are done with activities hit S` and answer the questions about access or deny to your resources.
When done use F to save your newly created profile and turn it to enforce mode.
Note: As you didn’t specify the application, please know that for a CLI application the above is enough, but for a GUI application, you need to give it access to the X-Windowing system, and if you’re in that case, please start RTFMing.
You could also use firejail --net=none <program> to run a program without network access.