Well, I haven't thought out my scoping notion 100%, thus far it's just an idea floating around, an idea motivated in part by wanting to make the generic admin UI for permissions usable. Scoping to object types would give that UI page a way to present exactly the list of permissions which the object type implementor makes use of, rather than a list of every permission in the system.
The problem with "querying up the tree" rather than "shoving all the child perms in the table" is query expense. We already have this gawdawful problem with the complex views to generate various parties to check against ("registered users", "group members" etc) which are sometimes well-optimized and sometimes not by Oracle and/or PG depending on phase of moon and other arbitrary criteria.
Joining with the hierarchy table is one way to "query up the tree". This might not be terribly expensive if more judicious use were made of the namespace, i.e. there'd be many fewer rows in the hierarchy table and the join would be fast.
I'm glad we're having this discussion because clearly permissions need some thought, and I certainly don't claim to have any silver bullets in my revolver, just one idea that may be useful.
