In order for WebGPU, or unmaskHints, to be gated by Permissions Policy (aka Feature Policy), I think we need to specify it. There's currently an inline issue in Abuse of capabilities about using Permissions Policy as a mitigation, but I think if we want to do that, it needs to be standardized and specified.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy

As described here, each feature has a default allowlist. As mentioned in that inline issue, our default allowlist might be 'self':

The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin.

• Come up with a proposal
• Iron it out with policy experts
• Add to our spec at the affected points, plus somewhere under "malicious use considerations"
• Add to https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md