Dexterity Type Custom Add Permission Insufficient to Add

In Plone 5.2, I have a dexterity content type with an "add_permission" defined in its schema, but I find that the permission cmf.addportalcontent is also being required to add.

I expected that the configured add_permission would solely grant or revoke permission to add this type. Is the add_permission only for further limiting cmf.addportalcontent? I do not want to grant a global addportalcontent to users who should only add this one type.

To be sure I set up the add_permission correctly, I can see in ZMI that the portal_type add permission is effectively created and configured for the type. The user has the add permission, confirmed by a check in the container view and logging the user's permissions. However, toggling cmf.addportalcontent for the user effectively restricts/allows the add.

The type has a custom (klass) class, so I thought maybe I would need a custom add form with zcml permission declaration of the add permission, but making one did not help. cmf.addportalcontent is still required.

Is always requiring addportalcontent the design? If not, how can I find what code is requiring this permission? Verbose security just says unauthorized.

If it is the design, should I grant addportalcontent and limit through placeful workflow to a container and then limit the available types to add? This seems cumbersome/risky vs. granting just the specific add_permission.

Configured permissions are on top of this permission.

This is one way, or - when you need it at several places - , define an own container type similar to folder but with its custom workflow and type constraints - this is how I would do it.