Hi @tommyr,
I apologize for the delay.
Permissions and RBAC are user-centric. This is explained better here:
This would explain the difference in how they are treated in a SPA where a user is requesting an access token and a M2M app where there is no user.
Hope this helps in some way!
Dan