if a release could have sensitive info after the removal of a permission on a higher level definition, you'd do as you said and write the new zedtoken to the package, and use that for all following checks