The behavior of flatpak build-finish is that any permissions from the runtime are added to the app (unless --no-inherit-permissions is specified.) But, when we build:

Locally: the runtime is not installed, or a random version is installed, not necessarily the one we are building against.

In the build system: the runtime is not installed

What we need to do is:
* Call build-finish with --no-inherit-permissions (or more comprehensively isolate the build from Flatpak installations)
* Look up the runtime permissions from the org.flatpak.metadata label for the runtime. (label contents will need to be added to RuntimeInfo - and assume this isn't fixable for the old module codepaths, which we just don't want to regress.)
* Rewrite the metadata file, merging in the runtime permissions, eliminating duplicates

This will require a certain amount of duplication of Flatpak core logic for parsing and writing the permissions in the metadata file but I don't see how to avoid that.