Refresh user profile on state change to force permission changes.
I have not been able to built a test case that can recreate the issue but have tested and debugged the issue in dev and prod multiple times now. My troubleshooting is outlined in the issue.
The service signals sometimes get passed an out date user model with permission cache attributes, it depends what has run before the state change signal. Refreshing it from DB ensures everything is up to date when the service signals are run.