OAuth and bot passwords (and maybe other things, now that grants are in core) rely on $wgGrantPermissions to expose access to privileged functionality, but most extensions don't support it. Any extensions that defines a user right which can in some way influence use of the API should also create a grant for that right, or add it to some existing grant.
User groups are assigned to users. Grants are assigned to tools. When a tool acts through a user account, it will only have those rights which are available both through the user's groups and the tool's grants.