I have gone through the source, and from what I can see, there aren’t any hooks/filters to tap into changing permissions.
My understanding is that this was an intentional design decision.
While the REST API was built to be extensible, it is not recommended to modify core endpoints in the way you are asking.
There is some limited information available in this section of the REST API handbook, but the gist of it is that as the API ages, more code (whether it be core or third party) will begin to depend on specific actions being available and providing standard responses.
Instead you should create a custom controller.
Custom post types can be given a custom controller by specifying a class name in the rest_controller_class argument to register_post_type().
An overview of how custom controllers should work can be found in the REST API handbook.
Something else to keep in mind is that if you create a custom controller which extends the abstract WP_REST_Controller class for a post type that supports revisions, a number of post type specific revision endpoints will be automatically created.
If it does not extend the WP_REST_Controller class, the register_routes() method is not called so you will have to manually register your custom routes.