Anyway, I guess all of this seems to introduce a lot more complexity into an already complex permissions management system...is this all about the public schema? Can we just make create function/operator etc something you have to grant even in the public schema? It seems like that could be significantly more user friendly than this.
Already true, if you do:
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
Which I do, in all my databases, and which is probably a good idea in most scenarios.
Or otherwise, would functions owned by the database or schema owner be exempt from this? Because there are many setups where people try to avoid superuser usage by creating database or schema owner users who can do things like create function, which a normal users can now use. Would checks be skipped if the function call is schema qualified because then there's no reasonable way to think that someone is being fooled about which function they are executing?
At present, permissions are completely separate from ownership: your ability to use an object does not depend on who owns what (I believe you can even revoke your own rights to use your own stuff). I suspect changing this is probably not a good idea.
