A friend, Lily Waters, had a great idea of providing a page where users can see what Lakebed app permissions they [do not] have. This was relatively trivial to add and will allow users to ask their system admin to grant them additional permissions if needed.
A newly registered user: https://twitter.com/lakebed_io/status/1192548090042929153/photo/1
A system admin user: https://twitter.com/lakebed_io/status/1192548090042929153/photo/2
One of the reasons I had not done this before is that malicious users will use this information to find vulnerabilities. I have to accept that malicious users are going to know about these end-points whether they're published or not. The system admin can remove access to this page if they feel it presents too much risk.