For granting elevated permissions (e.g. giving checkuser permissions to an app) the user should be in a session with elevated security (in the sense of AuthManager::securitySensitiveOperationStatus()).
|Open||None||T197160 All security-sensitive MediaWiki functionality should require elevated security|
|Open||None||T194398 Require elevated session security for giving elevated permissions|
There is no straightforward way to map grants (or even permissions) to security levels. We could add a new mapping for that ($wgGrantSecurityLevels), or just use the grant name or permission name as security level and let everything fall back to the default reauth configuration most of the time.