How are they permissionless if access can be revoked at any given time by the issuer?

A mint can not revoke a token