Sensitive permissions on the custom ROM could be added by adding entries in the file /data/system/appops.xml.
The following entry has been created by the system after all required permissions are granted:
<pkg n="com.hmdm.control">
<uid n="10130" p="false">
<op n="3">
<st n="429496729601" t="1611161115001" d="354" />
<st n="858993459201" t="1611161112454" d="356" />
<st n="1503238553601" t="1611161112454" />
</op>
<op n="24" m="0" />
<op n="73">
<st n="429496729601" t="1611161049707" />
</op>
<op n="76">
<st n="429496729601" t="1611161129911" />
<st n="858993459201" t="1611161129911" />
<st n="1073741824001" t="1611161111462" />
<st n="1503238553601" t="1611161112454" />
</op>
<op n="88">
<st n="429496729601" t="1611161130872" />
<st n="858993459201" t="1611161124159" />
</op>
</uid>
</pkg>
Basically, you need to develop an Android app and sign it by OS keys to grant access to protected files. This app should read /data/system/appops.xml, parse and update it, and write it back.
A brief explanation of the entries.
The uid must be unique, this is the underlying Linux user ID running the process. When you parse appops.xml, check for the package ID com.hmdm.control and update this entry if it exists. Otherwise, just find the last user ID and use the next one for the new entry.
The tags op and st encode the required permissions.
<op n="24" m="0" />
stays for "Access to usage history" (similar to Headwind MDM launcher).
Other op and st tags apparently stay for Accessibility permissions (each entry in the accessibility_service_config.xml, a detailed description of the requested accessibility options, is apparently treated by Android as a separate permission). Unfortunately Android doesn't provide documentation about these tags. The t attribute is the permission grant time in milliseconds. Other attributes and tags should apparently be kept the same as in this example.
Notice: after updating the /data/system/appops.xml file, it is required to reboot the device to apply the settings.