To keep security at highest level app would requests only very basic permissions when installed. However, when creating a task some additional permissions might be required, for example you might need write_orders permission to add a tag to an order. App automatically detects required permissions when task code is compiled. However you need to help compiler a bit.
When defining REST/GraphQL requests do it at very top of the task: