It's the same as articles, once an article is created. I don't think there are missing permissions here.

Surely a better analogy would be with categories or workflows. Categories contain articles. Workflows contains stages, Tours contain stages.

@brianteeman I think you mean steps. But the steps do not have assets.

ok let me try it another way.

How can I prevent someone from creating a new step.

With the current permission settings I can prevent them from deleting or editing a tour and as a consequence I have prevented them from deleting or editing a step.

BUT I can still create new steps in the tour. I should be able to prevent that

One thing though, if someone has no access to a tour, the steps should not be accessible from the tour list. That has to be fixed (apply the same access we apply to the title of the tour in the list to prevent edit).

Steps have no permissions because it was considered a tour and its steps are the same 'object'. Therefore, access to a tour should trickle down to its steps:
if one can edit a tour, one can edit its steps. If one can delete a tour, the steps are deleted, if one can create a tour, one can create its steps...

I understand now that we need those extra permissions (create/edit own)

The steps list page is missing access restrictions in case someone can just edit the URL to access a tour's steps (assuming we prevent the click on the step's count in the tour list).

A PR is getting created to address all those issues.

Closing as having a pull request. Please test #40220 . Thanks in advance.