There are currently two scenarios in which extensions may not have permissions that were within the required set of permissions:
- The runtime host permissions feature, which withholds host permissions requested by the extension until separately approved by the user.
- Enterprise policy withholding certain permissions, such as when a specific API is disallowed by policy.

These are subtly different and don't currently use the same mechanisms, since runtime host permissions can always be granted, but withheld enterprise API permissions can't be.  It would be nice to have a single cohesive mechanism for doing this.

Currently these don't collide, because enterprise policy will only withhold API permissions (they have separate hooks for host permissions - which would also be nice to combine), and runtime host permissions only affect host permissions, but this is somewhat fragile.