For users that have a requirement to call out to an external service as part of their PermissionChecker logic, the portal property permissions.checker provides little use:
This setting is used by PermissionCheckerFactory to construct permission checker objects through reflection in the core portal class loader. This means that one cannot reference any custom APIs that are not available to the global classloader. Ultimately, it is not OSGi-ified which makes replacing it of little actual use.
A suggestion is to change the PermissionCheckerFactory to an OSGi service that can be deployed as its own OSGi module and completely deprecate the use of the permissions.checker portal property. As a note, the PermissionCheckerFactoryImpl sets its service priority to -1. Ideally, users would want the ability to completely remove it and replace it with their own.