I was able to reproduce this on the latest R57(	9202.11.0:57.0.2987.19) as well.
This is the extension id: https://chrome.google.com/webstore/detail/ps-webrequestwhitelisttes/abledcocbcnadigdhclioheigpkfeggl

I see the same error in the ui logs as reported by OP ie, the "non-whitelisted dict in permission list: fileSystem"
The extension is not downloaded in Public Sessions.

This is the manifest of the extension:
{
"update_url": "https://clients2.google.com/service/update2/crx",

	"manifest_version": 2,

	"name": "PS WebRequestWhitelistTestGgle",
	"description": "Testing Webrequests API in PS, Has webRequest, Webrequest BLovking anf Filesystem",
	"version": "1.9",

	"browser_action": {
		"default_icon": "icon.png",
		"default_popup": "popup.html"
	},
	"permissions": [{
			"fileSystem": ["write"]
		},

		"webRequest",
		"webRequestBlocking"

	]

}

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/933ddc2ee726091a7be2b1d2cb2a273231813313

commit 933ddc2ee726091a7be2b1d2cb2a273231813313
Author: isandrk <isandrk@chromium.org>
Date: Wed Feb 08 14:33:51 2017

Added arc_metadata manifest entry & fileSystem permission dict

BUG= 687672 

Review-Url: https://codereview.chromium.org/2684753003
Cr-Commit-Position: refs/heads/master@{#448987}

[modify] https://crrev.com/933ddc2ee726091a7be2b1d2cb2a273231813313/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc

Hi Krishna, please QA this change along with this list of permissions whitelisted for M55. After your review, we can request for M57 merge.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/57720137ab43483ab50510fb7f4db7cc0cad412f

commit 57720137ab43483ab50510fb7f4db7cc0cad412f
Author: isandrk <isandrk@chromium.org>
Date: Thu Feb 09 13:07:06 2017

Whitelisted mediaGalleries and usbDevices permission dicts

BUG= 687672 

Review-Url: https://codereview.chromium.org/2686053003
Cr-Commit-Position: refs/heads/master@{#449273}

[modify] https://crrev.com/57720137ab43483ab50510fb7f4db7cc0cad412f/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc

Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We haven't had a new chrome version since Feb 9th, 
1) so only one of your CL's ie, the Added arc_metadata manifest entry & fileSystem permission dict has made it.

arc_metadata permission fails in PS. It works fine when the extension is launched in an User session tho.


2) The other CL ie, Whitelisted mediaGalleries and usbDevices permission dicts hasn't made it to the latest build yet. We should get a build with a newer/uprevved version of chrome tomorrow(I see the latest chrome build currently being build. )

About the arc_metadata I've added it to the manifest for the test extension and when I launch the extension in PS I see the error.
<extension_id> has requested non-whitelisted permission: arc_metadata.

A snapshot of the manifest of the test extension.

 "permissions": [
		"arc_metadata",
                "audioCapture",
		"clipboardWrite"
]

> arc_metadata permission fails in PS. It works fine when the extension is launched in an User session tho.

It works in a normal session because there invalid permissions are ignored, while in PS it does strict checking. So 'arc_metadata' isn't really a permission, but a toplevel manifest entry. You could have a manifest that looks something like:

{
  "name": "Test extensions",
  "version": "1",
  "manifest_version": 2,
  "arc_metadata": {
    "canRotate": false
  },
  "permissions": [
    "audioCapture",
    "clipboardWrite"
  ],
  ...
}

For a list of possible 'arc_metadata' entries, look here https://github.com/vladikoff/chromeos-apk/blob/master/manifest.md (but I don't think you need to test all of them, just that the toplevel one works). 

Comment from someone that works with ARC:
> All legacy ARC apps have this dictionary.  It's not a real permission, it's just where we stuff data to be consumed by the ARC runtime.

So probably the best way to test this is to try installing a legacy ARC app. I'll try to get more context on this, a specific app.

Here's an app you can use for testing:
https://chrome.google.com/webstore/detail/vmware-horizon-client/pckbpdplfajmgaipljfamclkinbjdnma?hl=en

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Verified o R58, that the extensions using the filesystem api and those that have the "arc_metadata entry in the manifest can be installed in Public Sesions. 
Could we please merge this back to R57.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fe6dde74ca066c4837225ef5f138d246611fa018

commit fe6dde74ca066c4837225ef5f138d246611fa018
Author: Ivan Sandrk <isandrk@google.com>
Date: Fri Feb 17 12:43:03 2017

Added arc_metadata manifest entry & fileSystem permission dict

BUG= 687672 

Review-Url: https://codereview.chromium.org/2684753003
Cr-Commit-Position: refs/heads/master@{#448987}
(cherry picked from commit 933ddc2ee726091a7be2b1d2cb2a273231813313)

Review-Url: https://codereview.chromium.org/2700953002 .
Cr-Commit-Position: refs/branch-heads/2987@{#572}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[modify] https://crrev.com/fe6dde74ca066c4837225ef5f138d246611fa018/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0b17e9a502e80c7d50d0d091e10d8d6d609695d9

commit 0b17e9a502e80c7d50d0d091e10d8d6d609695d9
Author: Ivan Sandrk <isandrk@google.com>
Date: Fri Feb 17 12:45:43 2017

Whitelisted mediaGalleries and usbDevices permission dicts

BUG= 687672 

Review-Url: https://codereview.chromium.org/2686053003
Cr-Commit-Position: refs/heads/master@{#449273}
(cherry picked from commit 57720137ab43483ab50510fb7f4db7cc0cad412f)

Review-Url: https://codereview.chromium.org/2699123002 .
Cr-Commit-Position: refs/branch-heads/2987@{#573}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[modify] https://crrev.com/0b17e9a502e80c7d50d0d091e10d8d6d609695d9/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc

Marking as Verified based on c#14.