I have a similar situation. Custom group derived from Public, Special Access Level, global permissions for site and admin login.

At J3 I was able to grant permission for options to my extension only for custom user group by setting core.manage or core.options at my extension options. At the backend this group only sees this extension, options of this extension are manageable. I didn't have to give other permissions than core.login.admin at global configuration.

This works, because components/com_config/controller/display.php checks access by

if (!JFactory::getUser()->authorise('core.admin', $component)
   && !JFactory::getUser()->authorise('core.options', $component))

at public function execute(), where $component is my extension.

At J4 restriction to only see my extension works as expected with same settings as at J3, but I have to grant core.manage of global configuration to be able to edit options of my extension. But then my custom group sees lot more at the backend and is able to do much more things than wanted. This is, because libraries/src/Dispatcher/ComponentDispatcher.php checks access by

if ($this->app->isClient('administrator') && !$this->app->getIdentity()-> authorise('core.manage', $this->option))

at protected function checkAccess(), where $this->option is com_config.
If I change this to

if ($this->app->isClient('administrator') && !$this->app->getIdentity()-> authorise('core.manage', $this->option) && !$this->app->getIdentity()-> authorise('core.options', $this->option))

and grant core.options instead of core.manage of global configuration to my custom user group, then I get the wanted behaviour, but I can't estimate if there are unwanted side effects caused by this change.

Is my approach to restrict access to my extension only completely wrong for J4 or would my change to this core file make sense in general?

Please test #27779 27779