The manifestation as a permission derives from Cate's impression that UI modules would not be available if you didn't have any of the necessary permissions to meaningfully use them. We could have used something basic like users.collection.read, or whatever it's called this week; but the general consensus was that it would be better to make a specific permission that meant exactly "may use the Users UI module".

I wonder if which apps to display for which roles is more of a client-configuration thing to be persisted in the configuration module rather than a server-side permission?

There isn't necessarily a 1:1 correspondence between client and server pieces and we're also dealing with the users interface rather than mod-users in particular and even ui-users could be replaced (eg. some other UI module could be at /users instead and it would more or less work with items provided the links line up)

That is generally true. However the module.NAME.enabled permissions are, as far as I know, the only ones that have no server-side implementation at all. They are only meaningful as giving permission to access specific UI modules.

...but this is client-side code, it's not providing any security, it's just providing a better UX by not displaying elements that will error out and break due to lack of permissions.

Fixed properly in https://github.com/folio-org/stripes-core/commit/fefca70ff2c629deea3a87bd26a21a3196eff696