(This does not amount to a security vulnerability in released code, only code in master towards 4.1, and so is amenable to tracking in JIRA.)
Beyond requiring SELECT_PORTLET_TYPE to see a given portlet type in the selector UI, require that a user have SELECT_PORTLET_TYPE on the type that he or she actually selects.
Currently, a user can simply edit the integer in the form
and thereby proceed creating a portlet of a type for which the user lacks SELECT_PORTLET_TYPE permission.
(Testing just now, I used this technique to get at the workflow for publishing a Bookmarks portlet, as a user without SELECT_PORTLET_TYPE on the Bookmarks type:
This amounts to a "Access control enforced by presentation layer" vulnerability ( https://www.owasp.org/index.php/Access_control_enforced_by_presentation_layer ) .