The current user's permissions depend on Session::getAllowedUserRights. To achieve this without the need to rely on global state, PermissionManager needs access to the current user's Session, and perhaps should have it (or the user name and set of allowed rights) injected.
See also T218555: Provide access to WebRequest and associated information via a service object.
See also T231930: Introduce Authority objects to represent the user performing a given action.