I think one way to get a handle on what generic permissions we should define and how to define their semantics would be to survey a bunch of existing packages. Some of them go way to far with the granularity the provide (OF tended to go that direction IMO). Others don't. But at least you can get a handle on what kind of access problems they were trying to solve.
Your GRANT privs currently are implemented using the single ADMIN privilege, and I personally have never run into the need for greater granularity. I realize RDBMS security models tend to provide an extremely granular solution but IMO these also tend to be more complex than we need - and I'd argue more complex than they generally need, too.
Tom's discussion regarding restricting actions on attributes could easily be solved within the permissions system if we made attributes objects. I'm not suggesting we pay that implementation cost, only that Tom's solution to this problem is made necessary by a compromise in the permissions/object model.