The jdk.crypto.pkcs11 module is granted the following permissions:

grant codeBase "jrt:/jdk.crypto.pkcs11" {
    permission java.lang.RuntimePermission
                   "accessClassInPackage.sun.security.*";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
    permission java.lang.RuntimePermission "loadLibrary.j2pkcs11";
    // needs "security.pkcs11.allowSingleThreadedModules"
    permission java.util.PropertyPermission "*", "read";
    permission java.security.SecurityPermission "putProviderProperty.*";
    permission java.security.SecurityPermission "clearProviderProperties.*";
    permission java.security.SecurityPermission "removeProviderProperty.*";
    permission java.security.SecurityPermission
                   "getProperty.auth.login.defaultCallbackHandler";
    permission java.security.SecurityPermission "authProvider.*";
    // Needed for reading PKCS11 config file and NSS library check
    permission java.io.FilePermission "<<ALL FILES>>", "read";
};

The java.lang.RuntimePermission "accessClassInPackage.sun.misc" is unnecessary and can be removed.

The java.util.PropertyPermission "*", "read" is too loose, it can be broken down to only allow reading a few properties.