Many permission checks only return a boolean (like User::isAllowed) or the permission error they return is hard to customize (like Title::getPermissionError which will just tell which user groups would have the required permission). This is inadequate in scenarios where permissions are restricted unexpectedly (e.g. because the user is blocked, because their account security is wanting, because the system detected something suspicious...).
All permission checks should be able to return a Message. All hooks that interfere with perimission checks (UserGetRights etc) should be able to manipulate that message. All callers to those methods should display those messages if they receive them.