First: White, Grey and Blacklists only apply to mail entering from outside the system (external mail).
Second: After a systemwide RBL and Disallow list check, the account Whitelist is checked next -- if the address and IP combination are present, the mail message is delivered directly to the intended mailbox bypassing greylisting and Spam Threshold.
Third: If a an email message address is not on the whitelist, the blacklist would be checked next (so that the message could be discarded), then if Greylisting is on, it is checked against the greylist and autowhitelist before being sent on to the Spam Threshold Filters...
If Greylist is off, the mail flows to the Spam Threshold filters (SA) and then to the mailbox.
By using a whitelist entry for an inbound email address, you circumvent/prevent the rest of the scanning process from being followed... this should make the delivery more immedate and reduce any risk that the mesage will be "trapped" somehow in the filter.
As you note, it is necessary to Whitelist (or blacklist) the X-ORIG-SENDER value from the header to have this work correctly -- which, I concur is a pain -- one would think in this day and age the code to check mail headers would be advanced enough to to pick this value up and add the correct entry to the table... who knows, perhaps that will eventually be available/implemented.
And, I concur; with Greylisting Off and Spam Threshold off, one would assume that whitelisting shouldn't matter ... but, I have seen situations in which it did...
Aside from the above, which I believe to be accurate for the platform --- I'm not involved with the Powweb mail system directly, so the following is just guesses based on what I've seen in other mail systems I've been exposed to.
I'm not privy to the exact way the system works, but having looked at a number of these implementations, I suspect the Spam Threshold "Off" is not "turned off" but rather "scoring off" -- so that the mail might still be scanned and scored, but the results are not applied to filter the mail or trigger the alternative delivery (e.g. prefixed by a word like SPAM, or sent to a SPAM Folder, etc.). In any event, the mail does "flow through" the filter unless its on the Whitelist.
So, the whitelist entry, which causes the mail scanning "not" to occur for a specific message -- since the system is "going to deliver the mail anyway", I think actually provides the greater assurance of message delivery.