Hi Andrew,
Thanks for the review!
In fact, the next release (which is slated to go live by the end of this week) does include a permissions model. There are two permission scopes: Administrators and Sharing. Each report can have one or more administrators configured, and only administrators can edit and delete. Sharing rules determine which users can run the reports. You can configure each report to be private (accessible only to report administrators), public (accessible to all logged-in users) or shared with a specified set of users and/or groups. Additionally, reports do currently respect JIRA's issue-level permission schemes - this means that even if a user can access a given report, only those issues that the user otherwise has permission to view will be displayed in the report content.
Hope this helps. Please do feel free to raise a support request with any additional feedback, feature requests, etc.