Add a queue permission that prohibits clearing the queue while allowing reading and deleting individual messages
Any SAS that allows processing messages from a queue inherently includes the permission to clear the queue. In scenarios with multiple consumers from a single queue, this is almost always undesirable.
In IoT scenarios, this can be disastrous. You may have thousands of devices processing messages from a single queue. None of those devices needs the ability to clear the queue. A single compromised device can immediately disrupt the entire process. Even worse, if you use the REST API, a simple bug that results in a device omitting the parameters that identify the message to be deleted will be interpreted as a clear command.