When I use iText 7 for .NET to read a PDF file encrypted using a certificate and inspect the permissions, the GetPermissions() method returns 0.

Package version: 7.2.1
Operating system: Windows 10

Here is the code that I use to encrypt an existing PDF file:

using var inputPdfReader = PdfReaderFactory.CreatePdfReader("plain.pdf");
using var outputStream = new FileStream("encrypted.pdf", FileMode.Create);

var certificate = new X509Certificate2("mycert.pfx", "secret", X509KeyStorageFlags.Exportable);
var writerProperties = new WriterProperties()
    .SetPublicKeyEncryption(
        new[] { DotNetUtilities.FromX509Certificate(certificate) },
        new[] { EncryptionConstants.ALLOW_COPY | EncryptionConstants.ALLOW_DEGRADED_PRINTING },
        Encryption);
using var pdfWriter = new PdfWriter(outputStream, writerProperties);
using var outputPdfDocument = new PdfDocument(inputPdfReader, pdfWriter);

As long as the certificate is installed in my certificate store I can open the PDF using Acrobat Reader, and it displays the expected permissions:

However, when I read this PDF using iText 7, the permissions come back as 0:

var certificate = new X509Certificate2("mycert.pfx", "secret", X509KeyStorageFlags.Exportable);
if (!certificate.HasPrivateKey)
{
    throw new NotSupportedException("Certificate must have a private key.");
}

var bouncyCertificate = DotNetUtilities.FromX509Certificate(certificate);
var keyPair = DotNetUtilities.GetKeyPair(certificate.GetRSAPrivateKey());
var readerProperties = new ReaderProperties()
    .SetPublicKeySecurityParams(bouncyCertificate, keyPair.Private);
using var pdfReader = new PdfReader("encrypted.pdf", readerProperties);
using var pdfDocument = new PdfDocument(pdfReader);

int permissions = (int)pdfReader.GetPermissions();
// permissions == 0

This looks like a bug in iText 7. Am I missing something?