Is there a way to assign permissions during bulk upload? I don’t see permissions listed in the bulk upload schema. One approach would be to stash the permissions in meta data then use a hook to apply the permissions using the meta data as the source, but this sounds too hackish to me.
It doesn’t look like you will be able to import permissions with the import job endpoint or extensions. The best way I can suggest is to either import them as app_metadata as you have suggested (and convert them in a rule), or to add them after the import programmatically using the management API.
Hope this helps!