Currently action permissions only restrict Day-2 and Delete target entities so that people who don't have read access cannot select those entities. The permissions should also apply to entity selection inputs.