From watching the videos, I think:

. Permissions are still enforced outside of the user process. When a new-school app requests a permission, the system pops up the dialog. Or it fast-fails if the user already said "deny and don't ask me again".

. They said that they rejected the false / fake answer solution as used in CyanogenMod. They instead are trying to get app authors explicitly engaged in their users' experiences. Best practice is to make a permission request at the moment it's needed, eg, if the user hit an audio recording button, it's reasonable to use that moment to ask for microphone access. This approach is good human factors. It's going to be annoying to advertisers.

. Legacy apps get the same install-time dialog as today, and users can subsequently revoke permissions through the system settings.

. My biggest sadness is the complete lack of any discussion of permission bloat from advertising libraries. If there's anything going on with the security ugly of ads, they're not yet willing to discuss it in public.