Some features are dangerous and require higher security (in the sense of AuthManager::securitySensitiveOperationStatus); the current approach is to mark special pages as being security sensitive. That's somewhat fragile (someone might mark the special page but forget to mark the API; the special page might get renamed; the same functionality might be available via other pages, unknown to the developer setting the security level). As a fallback mechanism, it would be nice if we could do the same for user rights directly. That would result in poor UX (no way to stash POSTs like the special pages do, no way to create custom error messages (T180888)) but for a fallback mechanism (that is only supposed to be invoked when the interface-level permission checking had a gap) that should be all right.
We would need to differentiate between "user can do X now" and "user can do X after reauthentication" as permission checks are also used for generating edit links and such so currently if the system determines the user can't perform some action, the option perform it is not even presented.