I think the permissions would be aligned with what the package could do, rather than what it requires.

I don’t know much about the native side of things, but I assume that Node knows what it’s doing — since it must know that it’s not just importing JavaScript.

For example, we could say that if a package wants to require(./something.node) then it must request all permissions because that .node file isn’t going to be JavaScript.

Same with require('child_process') — we have to assume that if that’s imported, the package can do anything.

Is there an instance where a package could step outside of the Node/JavaScript world in a way that can’t be programmatically detected?