in general, we recommend that all "accessed" "exported" items (whether via a

check

call, or on the right hand side of an arrow) be a permission