There is a standard process used to backfill permissions. See e.g.
SAK-21332. The same process is documented in a number of postings aimed at administrators. Unfortunately there's a serious problem with it.
The process puts the requested permission into all realms except !site.helper. This interacts badly with the standard permissions edit widget. That widget removes realm permissions when the same permission is inherited from !site.helper or !user.template.
E.g. set assignment2.read and assignment2.submit for Student in !user.template and all normal site realms. Now go into the permissions dialog in assignment2. For Student it will show read and submit as checked, but not selectable. That's because their presence in !user.template causes the permission to be inherited. If you then do Submit in the permissions tool, any read or submit permissions set for the realm will be removed. Unfortunately the assignment 2 tool itself doesn't check !user.template, so student scores will no longer show.
This is arguably a bug in assignment2. But if !user.template is inherited in the same way as !site.helper, I believe the standard backfill SQL should omit !user.template in the same way as !site.helper.
I'm not sure quite what you should do about this report. But at the very least i'd like to see future database upgrade scripts modified to not put the permission in !user.template.