Follow-up / spin-off from
Currently we are using a separate, relational database table to assign permissions to roles. The patch in the aforementioned issue already moves those assignments into a new config namespace. However, this should just be a temporary solution... We can improve that even further by simply putting the permissions that have been assigned to a role into a $role->permissions property.
Open question: Would this work well with config import/export/defaults? (How would a custom contrib module provide default role permission assignments for the new permissions that it adds?