In this particular case, per user would make sense as I only have that one public user which should not be able to do anything but browser.
However, if I put a custom option into the “Get” button (the one that currently reads “Deleted”), such as “Go to my custom page” (your example from another thread), that should potentially be accessible. I’d imagine that would be set via the API, so it should enable the developer to expose any custom options to public users (via group or user level).
Generally it feels like it would be better to have permission groups such as “public”, “organisation”, custom ones etc, use them to assign to FCs, then users are only added to those groups. It feels like it would make the entire permission system a lot more flexible?!