1. That's weird and it should not be working if the app does not have any app permission. I will test to verify this later.
2. Out of my head, I don't have the reason behind the requirement of the CallControl permission for only receiving the telephony session events. But unfortunately, it is the current requirement and I know that it causes trouble to app developers to meet the app graduation requirement for such a use case. For now, you need to implement some extra features to exercise the CallControl permission. Here is a simple one in Node JS.
// Within your Webhook callback function
...
hangupCall(body.telephonySessionId)
...
async function hangupCall(telSesId){
try{
await platform.delete(`/restapi/v1.0/account/~/telephony/sessions/${telSesId}`)
}catch(e){
console.log(e.message)
}
}
Then make a few incoming calls to the phone number of a user extension who is authenticated to use your app.