Ideally, enrollments role field would be sticky. Changes in UI (or via SIS import processed as UI) are not overridden by nightly import from SIS.
We would love to restrict permissions for students (like no longer being able to message others if they have abused this), and can do so with custom course role. We call that role "Restricted Student" and un-check the permissions to send to individuals and whole class.
But SIS nightly overrides it... the next day, they can send messages again.
Or, maybe an per-user account-level role override (changes all enrollments of user to another role?)