End user needs an ‘UPDATE’ permission on the app that needs to be commented (modified) via extension.
End user needs a security rule in appObject with ‘READ’ permission to load script, in order to trigger partial reload (Qlik Sense by default blocks script access in published apps).
End user also requires all data connection with ‘READ’ permission that appears in the load script (all data connections used in current app, no matter it will be executed or not when doing partial reload - unfortunately it is how Qlik works).