Currently, all users with editing access to a course site (via the course-level and account-level "Manage all other course content" permission) have the ability to install a third-party LTI tool within a course. This setting bundles together Modules, Collaborations, LTI, Home Page, Chat, Attendance into a single permission.
Unlike all the other content types included in this permission, which are all native to Canvas, LTI tools have the ability pass through a great deal of student data to a third-party site. This can create legal risks around FERPA and other laws related to student records and privacy.
Adding granularity to this permission would allow institutions to better fulfill their obligations to protect the privacy of student data, and make decisions locally about who should have the ability to install tools that pass student information outside of Canvas.